> i have a hard time extracting anything that would make sense from the > above. > in general, tag/tagged influences ruleset evaluation. once state is > created there is no ruleset eval any more for packets matching that > state.
yes, i just wanna make sure what i'm thinking is right, problem earlier is i've trying to catch tos packet from squid zph and insert it to a special queue. apparently my understanding earlier was wrong. i think that this rule will work: pass out on $internal from any to $internal:network tos 0x30 flags any queue q_tos pass out on $internal proto tcp from any port 80 to $internal:network queue q_lan pass in on $internal proto tcp from $internal:network to any port 80 queue q_lan but because the nature of keep state, packet return to int:network which contain tos 0x30 wouldn't get evaluated, so in order to achieve my goal i have to set the rule without keep state: pass out on $internal from any to $internal:network tos 0x30 flags any no state queue q_tos pass out on $internal proto tcp from any port 80 to $internal:network flags any no state queue q_lan pass in on $internal proto tcp from $internal:network to any port 80 flags any no state queue q_lan now i know this could be a pain in the ass, but only this setup i found it working, unless someone would like to correct me i really appreciate it. -Agung
