I'll have to do packet inspection, mangling, dropping and injection of packets on a Linux system. Ideally, this would be in user space and on IP packets and Ethernet frames, too.
Unfortunately, I cannot go OpenSource for this which basically rules out any approach based on NFQUEUE
and libnetfilter_queue
, since all of netfilter
(and their dog) is GPL only.
I thought about using TAP/TUN devices in parallel to controlling netfilter
by simply calling iptables
, but this seems to be messy at best...
So, are there any alternatives to netfilter
?
I believe your issue is that libnetfilter
is subject to the GPLv2 licence (not LGPL) and any project building on these would thus be subject to the GPLv2 licence too; this is what you want to avoid (I think).
An alternative would be to use a language binding which is not subject to the GPLv2 licence. One candidate would appear to be the Go bindings - see here for example, which appears to be under the Apache licence. I have obviously not checked the provenance of every file therein. Another way would be to divide your application into two - a small layer that communicates with Netfilter, communicating via (e.g.) an RPC interface with the rest of your application.
However, the last time I faced this, I used libpcap
instead, which is BSD licensed. It's a little known fact that libpcap
can send raw packets as well as receive them. However, it is much lower level than netfilter - you get raw packets and that's about it.