Speaking of free and cheap.. again, standard Linux can do that complex rule/subrule thing pretty much any way one wants to set it up.

It may still require a few duplicate entries to completely clarify (to the kernel) exactly how one wants it to behave, but it can do what you just described.

The links I posted earlier give the gory details, and yes, they're gory when used without a GUI wrapper. I'm sure the GUI/html wrappers exist (heck, that's probably how Packeteers does it), but usually a GUI also implies surrendering some functionality.

Cheers