On Sun, Oct 08, 2006 at 02:45:50PM +0200, Federico Giannici wrote: > Anyway, if it is the only solution, I'll try to implement it. But I > think it is really not intuitive. For example, the queue example in the > "pf.cont" man page, seems wrong to me: it applies the filters only to > the output of one NIC, so the ACKs in the back direction are queued to > the same queues of the forth direction! > What happens in this case?
I believe nothing happens, those queues are not for that interface, so adding a tag of a queue on another interface does not influence the queue (if there is any at all) on the interface the packets are actually going out on. Same as if the packets weren't tagged at all. Those examples don't deal with queueing in both directions. The standard case is where only one side of the firewall needs queueing, i.e. you have a fast LAN on one side and the scarce resource is only the slower uplink on the external side. In this case, you care only about prioritizing outgoing packets to the external side. Prioritizing empty ACKs only has an advantage when the link is getting saturated and drops occur. If the empty ACKs are coming down from the slow Internet into your fast LAN, chances are the LAN is not even close to getting saturated. Prioritizing them on the LAN interface will do virtually nothing. Sure, there are other cases where the bandwidth on both sides is symmetric, I guess the examples simply don't address this. If you want an example for a case not addressed by the existing examples, provide one ;) Daniel
