2010/10/15, Henning Brauer <lists-open...@bsws.de>: > this way queue foo will exist on all interfaces. the assignment can be > done inbound if the packet is forwarded and doesn't go through a > userland proxy.
A little bit off-topic question: Would it be too stupid to extend divert_output() with a way of assigning queues? I thought, in a per-socket basis. The proxy would call some sort of ioctl() or setsockopt() to tell "from this divert-socket queue everything to 'foo' from now on". Obviously this might break with ruleset change, which would probably mean some pf ioctls would have to walk over divert sockets in use and change the queue IDs appropriately. It would bring a huge leverage to rate-limit misbehaving users according to upper layer protocol specifics (you could scan unwanted traffic for whatever you'd like and limit it without rewriting HFSC in userland). Thanks Henning in particular for his opinion :-) And others of course. -- Martin Pelikan
