If you were to do this with the queue lib, then you'd ataualy have to
either let the client establish the connection OR fake that the connection
was established, before you get the HTTP request is sent to rule on.
Of course! I want my application to be totally transparent from the
client. The client will use regular browser without any proxy, and I
won't inspect TCP handshaking packets, only packets that looks like HTTP
request.
Also keep in mind that the servers/client might want to do a Keep-alive or
long lived HTTP session, with multiple HTTP requests. Keeping track of
that, from an NFNetlink/Queue based interface would be hecktic.
According to my tests and observations, most HTTP requests reside in a
single packet, for request that span more than one request, I'll start
tracking the session when I get a packet that looks like the beginning
of HTTP request, and stop when I get "Host" header.
For example:
3rd Packet: "GET /ver_long_uri\r\n"
It looks like the start of HTTP request, Start tracking.
4th Packet: "Host: ad-ware.domain\r\n\r\n"
I have URI+HOST, Stop tracking.
In this case I won't have to keep track of the whole TCP session only
what I need to get URI and HOST.
This will allow me to process more packets with minimal session tracking.
