Gunther Schadow wrote: > However, I understand that ALTQ works in the data link layer at > the interface to the NIC. IPsec, however, works above that layer, > even before the IPFILTER rules (on outgoing packets.) So, we have > the following "pipe" > > IPSEC -----> IPFILTER -------> ALTQ You should really look into using IPIP tunnels together with IPsec transport mode. In that case, your packets loop through IP outbound processing twice, allowing you to hook into "IP hacks" (ALTQ, ipfw, ipfilter, etc.) at both the virtual network layer as well as the physical network layer. If (and I'm not sure this is supported, but it's easy to add) gif devices are ALTQified, you could apply ALTQ at the virtual network level, before IPsec processing kicks in at the physical network. (For our X-Bone overlays, we do Dummynet processing for the virtual network to simulate delays losses in the VPN; and apply IPsec after tunneling). Lars -- Lars Eggert <larse@isi.edu> Information Sciences Institute http://www.isi.edu/larse/ University of Southern California
S/MIME Cryptographic Signature