Re: [squid-users] [NOC] Using Nfqueue or DAQ in squid

[Amos Jeffries]

On 12/09/18 4:50 AM, morteza1131 wrote:
> i explaned what i want before in my first mail, but to be clear :
> in my linux iptables firewall i want to do iptables rules and controles
> in foward chain and after that do http filtering with squid, because of
> that i need to change netfilter packet flow and send packets to
> squid(app layer, user space) after forward chain, and then get them back
> to kernel space to continue their's way in forward chain and then go out.
> something like this:
> mangle:prerouting > nat:prerouting>filter:forward > sauid >
> mangle:postrouting >nat:postrouting
> 
> i thought that nfqueue can help me, maybe there are other ways that i
> don't know!!
> 
> what do you think!?
> 


I think you are very much misunderstanding how netfilter/iptables is
designed.

Basically INPUT, FORWARD, OUTPUT - every packet goes through one of
them, and no packet ever goes through two.

Which chain applies is determined by where the packet is coming from,
and where it is going to - at the hardware / link layer. Though
PREROUTING rules can affect that decision.

Packets going through FORWARD are going pretty much directly from input
NIC to output NIC.


Depending on what your rules are intended to do they *should* be spread
across those tables. Your desire to put everything only in FORWARD is
leaving the INPUT and OUTPUT packets completely free.


If you want to continue to only filter packets in FORWARD instead of
packets actually entering and leaving the machine. Then you will have to
redesign netfilter itself and possibly the hardware circuitry it uses
for FORWARD handling.

As you wrote above: "i need to change netfilter packet flow".

Squid has nothing to do with any of that level of packet handling. Once
a packet reaches any application layer software like Squid it ceases to
exist. Squid doesn't even get the packet header, just the payload -
streamed in with all the other packet payloads for that TCP connection.
So there is no re-processing of any packet, its gone completely.


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [NOC] Using Nfqueue or DAQ in squid

[Amos Jeffries]

On 12/09/18 3:09 AM, morteza1131 wrote:
> i know that.
> i want to somehow change source code of squid to accept packet from
> nfqueue, to customize netfilter packet flow for my application(squid).
> 
> is it possible!?


Sure Squid can be made to accept nfqueue messages. *Any* software can be
re-coded to do anything other software does. Then what?

nfqueue messages pass IP protocol packets individually - even when a
packet contains HTTP it only contains *part* of an HTTP message. It is
extremely unlikely that Squid will be able to do anything at all with
the data provided.

Then there is the matter of responding to any HTTP messages *if* they
can be deciphered from the opaque data. nfqueue expects a single integer
- which is the index that *original* packet is to be scheduled for
delivery. So there is absolutely zero things Squid can do in its role as
an HTTP proxy.


So again, what exactly are you trying to achieve?
 


Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] [NOC] Using Nfqueue or DAQ in squid

[morteza1...@gmail.com]

i know that. i want to somehow change source code of squid to accept packet from nfqueue, to customize netfilter packet flow for my application(squid). is it possible!? Sent from my Huawei Mobile Original Message Subject: Re: [NOC] Using Nfqueue or DAQ in squidFrom: Amos Jeffries To: morteza omidian ,Squid noc CC: In future please direct questions about Squid usage to the Vendor thatsupplied your proxy, or the squid-users mailing list. This noc@ list isfor the squid-cache.org domain administrators.Replies to this mail have been set to the squid-users mailing list, soif you have any followup please ensure you are subscribed there.On 11/09/18 2:54 AM, morteza omidian wrote:> Hi> i am in a dire need about using squid in my Linux iptables firewall as a> transparent proxy. in my situation, i want squid to place after my> forwards iptables rules, and redirect packets to the input chain does> not work for me. my packet flow is : prerouting  >  Nat  > forward  >> squid > post routing> > the important part is that forward rules must check before packets> forwards to squid. i don't want packets destinate to input chain of> firewall.> > i thought maybe its possible to use DAQ ,like the way snort use or> nfqueue in iptables. i need some help about that, please help me if its> possible or *there are any other ways* to solve it .> > thanks a lot.> What you are asking for is not possible. Please see the netfilter packetflow diagram atfor reference.In that diagram Squid is the "Application Layer" part of the forwardpath. Snort, nfqueue etc by comparison are part of the "network layer"or "link layer". Their actions and involvement in the traffic is quitedifferent from Squid and other application layer software.It sounds to me like you are attempting to intercept traffic in theOUTPUT path. For that situation follow the Localhost interceptionexample atIf that is not suitable, then please mention (on the squid-users-mailinglist) what your problem is, and what you have tried already. Someonecould point you at the specific config to use that meets your situation.Amos JeffriesThe Squid Software Foundation___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid Cache Server

[Antony Stone]

On Tuesday 11 September 2018 at 10:43:13, Mujtaba Hassan Madani wrote:

> Hi Squid team,
> 
> I just want to no if squid can cache software for example windows
> update, Java,etc.

Squid doesn't care what a file is for - whether it's "software", web pages, 
images, music, video...

Squid will try to cache anything which gets requested through it, no matter 
what it is.

Whether or not any given thing *can* be cached is far more up to the content 
provider to decide - there are various HTTP headers they can use to say "don't 
cache this" or similar, and some things which you can download have different 
URLs at different times, and Squid can't tell that they are actually the same 
thing.

So, yes, Squid _can_ cache "software".  But just as with any other type of 
content, the provider may tell Squid that is isn't allowed to.


Regards,


Antony.

-- 
What makes you think I know what I'm talking about?
I just have more O'Reilly books than most people.

   Please reply to the list;
 please *don't* CC me.
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid Cache Server

[Mujtaba Hassan Madani]

Hi Squid team,

I just want to no if squid can cache software for example windows update, 
Java,etc.

regards


Mujtaba Hassan
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users