On Fri, Nov 10, 2006 at 11:10:47AM -0800, Nathan Valentine wrote: > Reference: http://www.benzedrine.cx/ackpri.html > > One of the rules in that document is: > > pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ > keep state queue (q_def, q_pri)
The 'flags S/SA' part of this rule only affects what packets match this rule. We only create state on the initial SYN packet (ACK not set). This has nothing to do the queue assigments. Once the initial SYN packet has matched the rule and created state, all further packets related to the connection (no matter what flags are set or unset) pass based on the state entry, not the rule above. Whether one specific packet of the connection (matching the state) gets assigned to q_def or q_pri DOES depend on the flags it has, but that is hardcoded: empty ACKs go to q_pri, everything else to q_def. The 'flags S/SA' rule option has no influence on the queues. So, the purpose of the rule is not to separate empty ACKs from other packets. It merely picks the initial SYN of each connection to create the state entry on. Maybe that was the confusion. I see nothing wrong with the wording in the man page about 'flags S/SA', it's precise and correct. Daniel
