Hmm, I checked the response header for Google and it’s not going to be that easy.
It sends response which just says the data will follow next in gzip compressed format so I will have to implement a compression library to check actual content.
You have given me an idea though. I will check outgoing packets for censored words and if any is found add the dest ip to a list. Then I can match incoming response packages to the list and inject them with redirect string and then remove the ip from the list again.
Does this sound right?