Patrick McHardy writes: > One reason to leave it where it is is that sfq can drop packets others > than the one currently handled if the queue becomes full. You don't want > packets beeing dropped because of another one you're going to drop in > POSTROUTING anyway. Other qdiscs limit bandwidth, they couldn't make any > calculations about in-use bandwidth if they don't know for sure the > packet is going out. This suggests that we want all the filters before queuing, but my reason for wanting e.g. conntrack to come after queuing still seems valid. Perhaps instead of moving postrouting, there should just be another hook after queuing (which is not allowed to drop, only for recording data about outgoing traffic) and conntrack should be moved to there.
BTW aren't there already filters that do limiting of a similar sort? The same problems would arise there. I guess there will always be contention among different things that want to go first or last.
