In the scope of the NuFW project we need to queue SYN packets for connection we want to authenticate (see http://www.nufw.org/ for details on principles). For a single connection we want to QUEUE only the first packet coming to the firewall (SYN packet in the case of TCP). All subsequent packets of the connection even if they are also SYN packet (if for example server is unreachable or does not exist) have to me authorized or drop depending of the decision taken on the first packet. In fact this is an extension of the ESTABLISHED or RELATED match.
I'm not quite sure how to "queue" packets as take them in to some sort of FIFO with a pause but possibly you do and you just need help matching which packets to queue. I know with the recent match extension you could probably ""remember a connection attempt (how to remember for just that connection is a question in and of it's self though (working on this)) and queue the first one and then take some sort of action on subsequent based on how the packets are dequeued. I think you are going to need to rely on some sort of external input, possibly via the condition match extension. I've seen and briefly read about NuFU but I need to do so again to get up to speed to help with this. Let me go do some reading and I'll get back to you.
Grant. . . .