http://bugs.winehq.org/show_bug.cgi?id=12302
--- Comment #60 from Daniel Santos daniel.santos@pobox.com 2008-07-11 17:05:33 --- I've been reading up on netfilter and it appears that the best way to do this now days is via the netfilter_queue (http://www.netfilter.org/projects/libnetfilter_queue/index.html) library and it can be done entirely in userspace! :) Of course, it will have to be run as root, but I like this better than mucking around in kernel space and require less peer-review and scrutiny. There is an example program in the utils directory of the source package and I've been playing with it a little thus far. There's not much documentation out for this and what is out there is mostly out of date :( but it's been a nice learning experience.
So in summary, this should supercede the need to call ipfilter and write a netfilter module. Instead, there will be a program that runs in user space as root that will kill the packets via the netfilter_queue API. Additionally, it should be possible to write this program so that it can have the switch user bit set and be executed by a non-super-user and have it effect only their network traffic since the netfilter_queue API supports filtering by the user or group of the app who created the packet. The only other problem I haven't figured out yet is how to make sure that it's friendly towards two instances running on the same machine, as the wine dll hack currently is, as I haven't yet discovered a way to filter by process ID of the app that created the traffic.