On 12/09/18 4:50 AM, morteza1131 wrote: > i explaned what i want before in my first mail, but to be clear : > in my linux iptables firewall i want to do iptables rules and controles > in foward chain and after that do http filtering with squid, because of > that i need to change netfilter packet flow and send packets to > squid(app layer, user space) after forward chain, and then get them back > to kernel space to continue their's way in forward chain and then go out. > something like this: > mangle:prerouting > nat:prerouting>filter:forward > sauid > > mangle:postrouting >nat:postrouting > > i thought that nfqueue can help me, maybe there are other ways that i > don't know!! > > what do you think!? > I think you are very much misunderstanding how netfilter/iptables is designed. Basically INPUT, FORWARD, OUTPUT - every packet goes through one of them, and no packet ever goes through two. Which chain applies is determined by where the packet is coming from, and where it is going to - at the hardware / link layer. Though PREROUTING rules can affect that decision. Packets going through FORWARD are going pretty much directly from input NIC to output NIC. Depending on what your rules are intended to do they *should* be spread across those tables. Your desire to put everything only in FORWARD is leaving the INPUT and OUTPUT packets completely free. If you want to continue to only filter packets in FORWARD instead of packets actually entering and leaving the machine. Then you will have to redesign netfilter itself and possibly the hardware circuitry it uses for FORWARD handling. As you wrote above: "i need to change netfilter packet flow". Squid has nothing to do with any of that level of packet handling. Once a packet reaches any application layer software like Squid it ceases to exist. Squid doesn't even get the packet header, just the payload - streamed in with all the other packet payloads for that TCP connection. So there is no re-processing of any packet, its gone completely. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
