I am trying to provide ability to intercept network connections originating from, and coming into Linux machines at various stages during the network connections life-cycle.
These stages include the following:
1. Just before an outbound network connection is made - i.e. when the first SYN packet is sent out.
2. Just after an outbound network connection is established.
3. Just after the connection is terminated.
4. When an inbound connection is established - i.e. when the first SYN packet is received from outside.
For above requirements, I was evaluating netfilter_queue to get the packets in the user-space and then decide the verdict whether to allow or drop the packet.
My main concern here is, that once I am done with netfilter_queue registration, I'll start getting all the packets. But I am only interested in control packets and don't want data packets to be sent to user-space.
So, my question is - Is there any existing way to tell the netfilter_queue kernel module to send only the control packets and not the data packets ? Also, would it be possible to get notified about the connection establishment and termination ?
If there is no ready way to achive above, then would it make sense to modify libnfnetfilter_queue and netfilter_queue kernel module to provide only control packets depending upon the config mode set,
i.e. introducing NFQNL_COPY_CONTROL_PACKET for copying only control packets to user-space ?
