ipfw + altq + pf + ipfw-classifyd identifying/queuing ftp traffic

[alan yang]

Hello,

I have the following setup in trying to identify ftp traffic with
ipfw-classifyd and direct ftp traffic into ALTQ CBQ queue, and non-ftp
traffic should not go through the ftp queue.  With 'ipfw show' and
'pfctl -s queue -v' command, at run time with ping and ftp, I have
couple questions;

1)  the re-injected diverted packet with fwrule (1000), should it
match rule 63001 and be directed to ftp queue?
2)  for non ftp traffic, should it match rule 1000 and NOT be directed
to ftp queue?

>From 'pfctl -s queue -v' command, it seems ALL traffics got through
ALTQ ftp queue.

Wonder people could shed some light on the right rule configuration,
and how to verify the ipfw processing of reinjected diverted packets
with more ALTQ debugging?

Thanks in advance!
Alan

---

ipfw rules:

    #! /bin/sh

    ipfw -f flush

    ipfw pipe 1 config bw 256Kbit/s queue 30
    ipfw pipe 2 config bw 256Kbit/s queue 30

    ipfw add 400 divert 7777 tcp from any to any via em0
    ipfw add 410 divert 7777 udp from any to any via em0

    ipfw add 1000 allow ip from any to any

    ipfw add 63000 allow altq ftp ip from any to any in diverted
    ipfw add 63001 allow altq ftp ip from any to any out diverted

    ipfw add 64000 pipe 1 log ip from any to any in diverted
    ipfw add 64001 pipe 2 log ip from any to any out diverted

/etc/pf.conf
    altq on emo cbq bandwidth 5Mb queue { ftp }
    queue ftp bandwidth 10% cbq(default)

ipfw-classifyd
    /usr/local/sbin/ipfw-classifyd p 7777

ipfw-classifyd configuration file has ftp = 1000