Like most good things in my life, this started out with me talking shit on the internet: https://twitter.com/TinkerFairy_Net/status/1366155380380889088 Sadly there's no enough free space in the IP packet to express "evil", "trans", and "demon" -- see https://tools.ietf.org/html/rfc3514 for more info. But the TCP header has those bits. Hopefully the IETF will recognize this soon.

Today is not the day I'm going to write a kernel module, so I thought the joke would end there. Then I remembered the Python module NetfilterQueue...

You'll need to pip3 install -U git+https://github.com/kti/python-netfilterqueue along with scapy. Do it in a virtualenv!

Then, for example if you wanna set the experimental "evil", "trans", and "demon" bits on all your SSH sessions, apply this iptables rule and then run the Python code: iptables -I OUTPUT 1 -m tcp --syn -p tcp --dport 22 -j NFQUEUE --queue-num 1

#! /usr/bin/env python3
from netfilterqueue import NetfilterQueue

from scapy.all import *

def print_and_accept(pkt):
  scapyPkt = IP(pkt.get_payload())
  if scapyPkt.haslayer(TCP):

    # Set the IP "evil" flag
    scapyPkt[IP].flags = int(scapyPkt[IP].flags) + 4

    # Set the TCP "evil", "trans", and "demon" flags
    scapyPkt[TCP].reserved = 7

    # Ask scapy to recalculate the checksums
    scapyPkt[IP].chksum = None
    scapyPkt[TCP].chksum = None

    pkt.set_payload(bytes(scapyPkt))
  #print(pkt)
  pkt.accept()

nfqueue = NetfilterQueue()
nfqueue.bind(1, print_and_accept)
try:
    nfqueue.run()
except KeyboardInterrupt:
    print('')

    nfqueue.unbind()