I'm looking for a way to process packets in a Linux server in a particular fashion - I need to run some custom logic on every packet, then (possibly) take some actions on the packets and let the kernel route it as it wants. My use specific use cases are:
- Catch IGMP packets (that are being passed inside a Linux bridge on my host) and validate their inner fields (multicast group and checksum) against some list of allowed values I have. If no match is found, drop the packet.
- When receiving an IPv6 packet (that's being routed via my Linux machine) compare the source address against some dictionary of "suspicious" addresses. If true, open the packet (up until HTTP headers and inside) and run some tests to make sure it's valid (e.g. verify port numbers, content length, headers structure)
- Upon capturing a TCP segment, check the number of flags enabled in it and if the number is greater than 5 send a copy of the packet to another destination (let's say, an IDS appliance) and forward the packet normally.
I've looked at some Linux utilities and tools such as tc
, XDP
, DPDK
and other FD.io
solutions (VPP
), but could not find an easy way to work those technologies out in a simple fashion in order to achieve what I want. It's preferable if my validations and actions could run in a modern, flexible environment and code (not asking for python or Java here but bash would be preferable to some kernel-like C code).
What is the common way to implement such actions in a Linux machine? Any best practice or technology which allows all of the mentioned modifications and features in a programmatic way?
Cheers.