[squid-users] [NOC] Using Nfqueue or DAQ in squid

Amos Jeffries squid3 at treenet.co.nz
Wed Sep 12 07:44:58 UTC 2018

On 12/09/18 7:17 AM, morteza1131 wrote:
> Tanks for your response.
> I totally understand how iptables work.

Then you should already know very well the answers to all these
questions you ask, including why Squid cannot do what you want. You
attempting to troll?

> are you familiar with snort!?

I am relatively familiar with snort - what it does and its limitations.
I was working with the Netfilter dev team to get TPROXY working when
when NFQUEUE and related features were being designed and implemented.

> with advantages of daq and nfqueue they do those things that i want to do.
> snort get packets(packets that must be forward) from kernel space and
> get them back to kernel space. it works without any changes in packet
> flow with only one nfqueue rule in iptables.

If you are totally familiar with iptables, then you know the statement
"get them back to kernel space" you used above is false. NFQUEUE only
receives a 32-bit integer verdict on whether the packet is to be
discarded or queued with the given delay (hint is in the name).

> i want to change source code of squid to does what snort does.
> but you said that is not possible, why!?

I have answered that question thrice now. Because IP protocol is not
HTTP protocol. Network layer is not Application layer.

 Snort is network layer software for handling IP protocol.

 Squid is application layer software for handling HTTP protocol.

Completely and utterly different requirements and limitations. For
example; "packet" is a completely unknown/foreign concept to Squid.

PS. please keep the users mailing list in your replies.


More information about the squid-users mailing list