Check pf-diverters [1]. We are using them in our openbsd firewalls in order to block unwanted connections.<p>[1] <a href="https://github.com/echothrust/pf-diverters" rel="nofollow">https://github.com/echothrust/pf-diverters</a>
There is a similar feature in Linux which I've used a number of times over
the years to simulate various network problems, and to modify packets flowing
through my router in interesting ways.<p>You can select packets to be sent to userspace with the "-j QUEUE" iptables target handler, and then read those packets using libnetfilter.
Cool, I run a pf firewall but this was news to me.<p>Anyone have any idea of the performance overhead? (Not that it really matters for me, just curious)