On Mon, Feb 22, 2010 at 2:40 PM, Agung T. Apriyanto <[email protected]> wrote: >> i have a hard time extracting anything that would make sense from the >> above. >> in general, tag/tagged influences ruleset evaluation. once state is >> created there is no ruleset eval any more for packets matching that >> state. > > yes, i just wanna make sure what i'm thinking is right, > > problem earlier is i've trying to catch tos packet from squid zph and > insert it to a special queue. apparently my understanding earlier > was wrong. i think that this rule will work: > > pass out on $internal from any to $internal:network tos 0x30 flags any > queue q_tos > pass out on $internal proto tcp from any port 80 to $internal:network > queue q_lan > pass in on $internal proto tcp from $internal:network to any port 80 > queue q_lan >
sorry, a litte addition here even when i;m trying to use tag, pass out on $internal from any to $internal:network tos 0x30 flags any tagged ZPH queue q_tos pass out on $internal proto tcp from any port 80 to $internal:network queue q_lan pass in on $internal proto tcp from $internal:network to any port 80 tag ZPH queue q_lan addition ends here > but because the nature of keep state, packet return to int:network which > contain tos 0x30 wouldn't get evaluated, so in order to achieve my > goal i have to > set the rule without keep state: > > pass out on $internal from any to $internal:network tos 0x30 flags any > no state queue q_tos > pass out on $internal proto tcp from any port 80 to $internal:network > flags any no state queue q_lan > pass in on $internal proto tcp from $internal:network to any port 80 > flags any no state queue q_lan > > now i know this could be a pain in the ass, but only this setup i > found it working, unless someone > would like to correct me i really appreciate it. > > -Agung
