On Sunday, Feb 5, 2006, at 11:37 US/Pacific, Brad Waite wrote:
pass out on $ext_if proto tcp from $ext_if to any flags S/SA \
keep state queue (q_def, q_pri)
Both this page and the FAQ examples indicate that the above rule will
assign ACKs to the higher priority queue, but I can't see how.
The rule is only matched once, and then a state entry is created (due
to "keep state"). That state entry is responsible for all future
packets (regardless of TCP flags) that belong to the same connection,
including ACKs. It also remembers the queue assignments and uses them
appropriately.
The TCP flags are chosen so that state is created only for a connection
request, instead of having the rule match arbitrary packets that may or
may not be part of a legitimate connection.
