Oh right. I forgot that things like tcpdump and QoS break with CTF enabled.
QoS itself (traffic classification management) works. It's the way you assign a category that can be hit-or-miss. If you assign categories based on iptables rules, it won't work (no FORWARD chain processing). If you use a kernel-level DPI engine like Trend Micro's, then it will work just fine.
