> > > > pass out on $ext_if proto tcp from $ext_if to any flags S/SA \ > > keep state queue (q_def, q_pri)
> Whether one specific packet of the connection (matching the state) gets > assigned to q_def or q_pri DOES depend on the flags it has, but that is > hardcoded: empty ACKs go to q_pri, everything else to q_def. The 'flags > S/SA' rule option has no influence on the queues. > > So, the purpose of the rule is not to separate empty ACKs from other > packets. It merely picks the initial SYN of each connection to create > the state entry on. Maybe that was the confusion. Ah, that makes more sense and it dovetails with my next question. If OpenBSD is acting as an Ethernet bridge and pf/alt is assigning packets to queues (cbq), the correct rule to send empty ACK packets to a high priority queue would be something like this?: pass out on $wan_if proto tcp from any to any A/SAP queue minimal_delay SAP because we only want to send bare ACK packets to minimal_delay. Sending SYN+ACK and ACK+PSH to the default queue is fine. And no need to track state in this situation. Makes sense? -- --- Nathan Valentine - [EMAIL PROTECTED] Systems/Network Admin 415.561.6780 Discovery Mining, Inc. - http://www.discoverymining.com
