Abstract: A method based on the Netfilter framework of Linux system to capture or block the network traffic under rules is brought up in this paper.The system consists two parts:a loadable kernel module and a user-space application.Netlink socket is adopted to transmit orders between kernel-space and user-space, and memory mapping technology is used for the data exchange between both of them.This system can be used in network content-based filtering, DPI (deep packet inspection) , or IDS (intrusion detection system) use a specific pattern matching algorithm.Finally, blocking BitTorrent traffic as an example to test the system is shown, and achieves good results.