For queueing in pf, the direction of the packet simply doesn't matter.
I guess your setup would be like this. You have two interfaces and are
forwarding connections through both. On each interface, you have two
queues (one high priority, one low priority), that's four distinct
queue.
int_if pf ext_if
q_int_low q_ext_low
q_int_pri q_ext_pri
One connection through the firewall passes through each interface,
matches a rule on each interface, creates state on each interface.
That's two separate matching rule and two separate states per
connection.
Say, the initial SYN of a TCP connection goes from the internal to the
external side. The SYN first passes in on int_if, creates state with
option 'queue (q_int_low, q_int_pri)' on int_if. Then the SYN passes out
on ext_if, and creates second state with option 'queue (q_ext_low,
q_ext_pri)'.
Now there can be empty ACKs flowing in both directions, back and forth.
Those that flow in the same direction as the initial SYN (from int to
ext) will match the ext state last, hence get queued in q_ext_pri/low.
The packets flowing in reverse will match the state on int last, and
get queued in q_int_pri/low.
Technically, pf assigns the same packet to queues twice, when passing
through the two interfaces. But that's irrelevant in this case, as the
first queue assignment gets overwritten by the second, only the last
assignment matters.
q_int_* only matter for packets leaving out on int_if, and q_ext_* only
matter for packets leaving out on ext_if, in this scenario.
Daniel
