diff -r b4e2f62f737e cpu.c
--- a/cpu.c	Fri Jun 21 23:08:33 2013 +0200
+++ b/cpu.c	Tue Aug 06 00:00:00 2013 +0200
@@ -34,6 +34,9 @@
 static char	*srvname = "ncpu";
 static char	*ealgs = "rc4_256 sha1";
 
+char *filterp;
+char *aan = "/usr/local/plan9/bin/aan";
+
 /* message size for exportfs; may be larger so we can do big graphics in CPU window */
 static int	msgsize = Maxfdata+IOHDRSZ;
 
@@ -43,6 +46,8 @@
 static int	p9auth(int);
 static int	srvp9auth(int, char*);
 
+static int	filter(int, char*, char*);
+
 char *authserver;
 
 typedef struct AuthMethod AuthMethod;
@@ -156,6 +161,9 @@
 	case 'u':
 		user = EARGF(usage());
 		break;
+	case 'p':
+		filterp = aan;
+		break;
 	default:
 		usage();
 	}ARGEND;
@@ -247,15 +255,15 @@
 	char msg[MaxStr];
 	int n;
 
-	na = netmkaddr(host, "tcp", "17010");
+	na = netmkaddr(host, "tcp", "17011");
 	if((*fd = dial(na, 0, dir, 0)) < 0)
 		return "can't dial";
 
 	/* negotiate authentication mechanism */
 	if(ealgs != nil)
-		snprint(msg, sizeof(msg), "%s %s", am->name, ealgs);
+		snprint(msg, sizeof(msg), "%s %s %s", filterp? "aan": "nofilter", am->name, ealgs);
 	else
-		snprint(msg, sizeof(msg), "%s", am->name);
+		snprint(msg, sizeof(msg), "%s %s", filterp? "aan": "nofilter", am->name);
 	writestr(*fd, msg, negstr, 0);
 	n = readstr(*fd, err, sizeof err);
 	if(n < 0)
@@ -395,6 +403,9 @@
 	mksecret(fromclientsecret, digest);
 	mksecret(fromserversecret, digest+10);
 
+	if (filterp)
+		fd = filter(fd, filterp, system);
+
 	/* set up encryption */
 	i = pushssl(fd, ealgs, fromclientsecret, fromserversecret, nil);
 	if(i < 0)
@@ -729,3 +740,52 @@
 }
 
 */
+
+
+/* Network on fd1, mount driver on fd0 */
+int
+filter(int fd, char *cmd, char *host)
+{
+	int p[2], len, argc;
+	char newport[256], buf[256], *s;
+	char *argv[16], *file, *pbuf;
+
+	if ((len = read(fd, newport, sizeof newport - 1)) < 0)
+		sysfatal("filter: cannot write port; %r");
+	newport[len] = '\0';
+
+	if ((s = strchr(newport, '!')) == nil)
+		sysfatal("filter: illegally formatted port %s", newport);
+
+	strecpy(buf, buf+sizeof buf, netmkaddr(host, "tcp", "0"));
+	pbuf = strrchr(buf, '!');
+	strecpy(pbuf, buf+sizeof buf, s);
+
+	argc = 0;
+	argv[argc++] = cmd;
+	argv[argc++] = "-c";
+	argv[argc++] = buf;
+	argv[argc] = nil;
+	file = argv[0];
+	if (s = strrchr(argv[0], '/'))
+		argv[0] = s+1;
+
+	if(pipe(p) < 0)
+		sysfatal("pipe: %r");
+
+	switch(fork()) {
+	case -1:
+		sysfatal("fork record module: %r");
+	case 0:
+		dup(p[0], 1);
+		dup(p[0], 0);
+		close(p[0]);
+		close(p[1]);
+		execv(file, argv);
+		sysfatal("exec record module: %r");
+	default:
+		close(fd);
+		close(p[0]);
+	}
+	return p[1];
+}