On 10/23/05, Nikolay Kalev <[EMAIL PROTECTED]> wrote: > Just un idea which i didn;t try myself. Try to tag every packet from the > internal network and then put it in the right queue with a separate rule > for that. Please tell me if it works :-)
This is how we do it in pfSense - except in reverse. We tag packets based on the queue criteria for that packet. We then have a copy of the ruleset for each queue in an anchor for each queue. The anchor is set to match packets by tag and then the ruleset queues it. It works something like this pass in from foo to bar tag foobar pass in from bar to foo tag barfoo anchor FooBar tagged foobar anchor BarFoo tagged barfoo anchor FooBar has a ruleset pass in from foo to bar queue foobar pass in from bar to foo queue foobar anchor BarFoo has a ruleset pass in from foo to bar queue barfoo pass in from bar to foo queue barfoo The reasoning behind the excessive rules is sanity in the rule generation - our tag rules are more for selecting certain traffic and forcing it to use an anchor that will queue it if it passes the final ruleset (which uses quick). It's not the best system in the world, it works. It would be more convenient if there was a queue from foo to bar syntax that handled the queueing outside of the actual filtering. But seperating it was a concious decision we made and one that's caused us to work around pf syntax. --Bill
