http://www.linuxdoc.org/HOWTO/Adv-Routing-HOWTO.html 9.5 Ingress policer qdisc contains: FIXME: instead of dropping, can we also assign it to a real queue? Has anyone done this? What support is there or alternatively, what's missing? I'd like to use netfilter to queue packets and then connect that to things like TBF. For instance, suppose we want to process the incoming syn packets at a limited rate, and further, share that service in a fair way. I'd like to intercept syn's at NF_IP_LOCAL_IN, put them on a SFQ queue, and extract them at a limited rate before returning them with nf_reinject. I hope that makes sense.
