I want to capture all tcp packets on port 80 that are going to a forward address and pass them into a user-space program for mangling. I know how to do this with an IPtables rule such as
iptables -A FORWARD ... -j NFQUEUE --queue-num 10
but i can't seem to find any examples, and there is a time restriction, so I can't just sift through wireshark code. I'm looking for examples, or even a place to start. Can I use sockets? or is there a kernel data structure that I can use to pop packets off of the stack, and once I'm done, how can I pass the packets back to netfilter?
You can write a kernel module that registers for queued packets for a certain protocol. You can read the netfilter-hacking-HOWTO, page 25 has a section "Processing Queued Packets". This section discusses at a higher level but answers everything you asked.
Download it from: http://www.netfilter.org/documentation/index.html#documentation-howto
you can use nf_reinject() to let the packet get processed further.
I don't want to repeat whatever is in this guide but this should be enough to start with.