I'm looking for a linux utility that can alter the payloads of network packets based on a set of rules. Ideally, I'd use iptables and the netfilter kernel module, but they don't support generic payload mangling: iptables will alter various header fields (addresses, ports, TOS, etc), and it can match arbitrary bytes within a packet, but it apparently is unable to alter arbitrary data within the packet.
A kernel module would be a big plus, as efficiency is a concern, but I'm happy to explore any other options that would get the job done.
Thanks for your ideas!
Long-overdue Update:
We chose to use the NFQUEUE module, which is the latest implementation of the QUEUE modules that Robert Gamble suggested. It appeared to be fairly simple, with a safety bonus for allowing our code to run in user, not kernel, space.
The implementation would have been almost trivial if we'd simply wanted to alter the payload without changing its size. In that case, we'd define an iptables rule to select the "interesting" packets for us and send them an NFQUEUE target. We'd write a callback function that would inspect the packets from NFQUEUE, modify the data as required, and recalculate the checksums in their TCP and IP headers.
However, our use case involves injecting additional characters into the data stream. This has the somewhat obvious side-effect of increasing the corresponding SEQ/ACK numbers in the TCP stream, and the not-so-obvious side-effect of confusing the conntrack module enough that it breaks NAT entirely. After a lot of research, head-scratching, and experimentation, the most expedient solution was to disable connection tracking for these particular packets (with the NOTRACK target in the raw table) and handle it in our callback. Save your tomatoes and hate mail; I'm not at all proud to let you under the hood, but it was the only way to get a reliable product to the customer before the next Ice Age. And it's a good story. But I truly appreciate, and share, your heartfelt sentiments.
Version 2 will leverage our newfound enlightenment by replacing our callback and several iptables rules with a custom NAT and/or conntrack helper. We're confident that the current exercise has given us enough experience to create a kernel module that will fit organically into the netfilter architecture to solve the problems we encountered.
Thanks again for your interest and suggestions!