[squid-users] [NOC] Using Nfqueue or DAQ in squid

Amos Jeffries squid3 at treenet.co.nz
Tue Sep 11 18:55:09 UTC 2018 

On 12/09/18 4:50 AM, morteza1131 wrote:
> i explaned what i want before in my first mail, but to be clear :
> in my linux iptables firewall i want to do iptables rules and controles
> in foward chain and after that do http filtering with squid, because of
> that i need to change netfilter packet flow and send packets to
> squid(app layer, user space) after forward chain, and then get them back
> to kernel space to continue their's way in forward chain and then go out.
> something like this:
> mangle:prerouting > nat:prerouting>filter:forward > sauid >
> mangle:postrouting >nat:postrouting
> 
> i thought that nfqueue can help me, maybe there are other ways that i
> don't know!!
> 
> what do you think!?
> 


I think you are very much misunderstanding how netfilter/iptables is
designed.

Basically INPUT, FORWARD, OUTPUT - every packet goes through one of
them, and no packet ever goes through two.

Which chain applies is determined by where the packet is coming from,
and where it is going to - at the hardware / link layer. Though
PREROUTING rules can affect that decision.

Packets going through FORWARD are going pretty much directly from input
NIC to output NIC.


Depending on what your rules are intended to do they *should* be spread
across those tables. Your desire to put everything only in FORWARD is
leaving the INPUT and OUTPUT packets completely free.


If you want to continue to only filter packets in FORWARD instead of
packets actually entering and leaving the machine. Then you will have to
redesign netfilter itself and possibly the hardware circuitry it uses
for FORWARD handling.

As you wrote above: "i need to change netfilter packet flow".

Squid has nothing to do with any of that level of packet handling. Once
a packet reaches any application layer software like Squid it ceases to
exist. Squid doesn't even get the packet header, just the payload -
streamed in with all the other packet payloads for that TCP connection.
So there is no re-processing of any packet, its gone completely.


Amos

More information about the squid-users mailing list