Discussion:
[squid-users] [NOC] Using Nfqueue or DAQ in squid
m***@gmail.com
2018-09-11 15:09:39 UTC
Permalink
_______________________________________________
squid-users mailing list
squid-***@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Amos Jeffries
2018-09-11 16:07:44 UTC
Permalink
i know that.
i want to somehow change source code of squid to accept packet from
nfqueue, to customize netfilter packet flow for my application(squid).
is it possible!?
Sure Squid can be made to accept nfqueue messages. *Any* software can be
re-coded to do anything other software does. Then what?

nfqueue messages pass IP protocol packets individually - even when a
packet contains HTTP it only contains *part* of an HTTP message. It is
extremely unlikely that Squid will be able to do anything at all with
the data provided.

Then there is the matter of responding to any HTTP messages *if* they
can be deciphered from the opaque data. nfqueue expects a single integer
- which is the index that *original* packet is to be scheduled for
delivery. So there is absolutely zero things Squid can do in its role as
an HTTP proxy.


So again, what exactly are you trying to achieve?
<https://perlmonks.org/?node=xy+problem>


Amos
Amos Jeffries
2018-09-11 18:55:09 UTC
Permalink
in my linux iptables firewall i want to do iptables rules and controles
in foward chain and after that do http filtering with squid, because of
that i need to change netfilter packet flow and send packets to
squid(app layer, user space) after forward chain, and then get them back
to kernel space to continue their's way in forward chain and then go out.
mangle:prerouting > nat:prerouting>filter:forward > sauid >
mangle:postrouting >nat:postrouting
i thought that nfqueue can help me, maybe there are other ways that i
don't know!!
what do you think!?
I think you are very much misunderstanding how netfilter/iptables is
designed.

Basically INPUT, FORWARD, OUTPUT - every packet goes through one of
them, and no packet ever goes through two.

Which chain applies is determined by where the packet is coming from,
and where it is going to - at the hardware / link layer. Though
PREROUTING rules can affect that decision.

Packets going through FORWARD are going pretty much directly from input
NIC to output NIC.


Depending on what your rules are intended to do they *should* be spread
across those tables. Your desire to put everything only in FORWARD is
leaving the INPUT and OUTPUT packets completely free.


If you want to continue to only filter packets in FORWARD instead of
packets actually entering and leaving the machine. Then you will have to
redesign netfilter itself and possibly the hardware circuitry it uses
for FORWARD handling.

As you wrote above: "i need to change netfilter packet flow".

Squid has nothing to do with any of that level of packet handling. Once
a packet reaches any application layer software like Squid it ceases to
exist. Squid doesn't even get the packet header, just the payload -
streamed in with all the other packet payloads for that TCP connection.
So there is no re-processing of any packet, its gone completely.


Amos
Amos Jeffries
2018-09-12 07:44:58 UTC
Permalink
Tanks for your response.
I totally understand how iptables work.
Then you should already know very well the answers to all these
questions you ask, including why Squid cannot do what you want. You
attempting to troll?
are you familiar with snort!?
I am relatively familiar with snort - what it does and its limitations.
I was working with the Netfilter dev team to get TPROXY working when
when NFQUEUE and related features were being designed and implemented.
with advantages of daq and nfqueue they do those things that i want to do.
snort get packets(packets that must be forward) from kernel space and
get them back to kernel space. it works without any changes in packet
flow with only one nfqueue rule in iptables.
If you are totally familiar with iptables, then you know the statement
"get them back to kernel space" you used above is false. NFQUEUE only
receives a 32-bit integer verdict on whether the packet is to be
discarded or queued with the given delay (hint is in the name).
i want to change source code of squid to does what snort does.
but you said that is not possible, why!?
I have answered that question thrice now. Because IP protocol is not
HTTP protocol. Network layer is not Application layer.

Snort is network layer software for handling IP protocol.

Squid is application layer software for handling HTTP protocol.

Completely and utterly different requirements and limitations. For
example; "packet" is a completely unknown/foreign concept to Squid.

PS. please keep the users mailing list in your replies.


Amos

Loading...