Packet tagging for the IPFW. Rules format: # mark matched packets with tag N ipfw add tag N # check tagged packets ipfw add tagged N The description of OpenBSD packet tagging is here: http://www.openbsd.org/faq/pf/tagging.html When a packet matches a rule with the tag keyword, the numeric tag for the given number in the range 0..65535 will be attached to the packet. The tag acts as an internal marker (it is not sent out over the wire) that can be used to identify these pack- ets later on. This can be used, for example, to provide trust between interfaces and to start doing policy-based filtering. A packet can have mutiple tags at the same time. Tags are "sticky", meaning once a tag is applied to a packet by a matching rule it exists until explicit removal. Tags are kept with the packet everywhere within the kernel, but are lost when packet leaves the kernel, for example, on transmitting packet out to the network or sending packet to a divert(4) socket. To check for previously applied tags, use the tagged rule option. To delete previously applied tag, use the untag keyword. Note: since tags are kept with the packet everywhere in ker- nelspace, they can be set and unset anywhere in kernel network subsystem (using mbuf_tags(9) facility), not only by means of ipfw(4) tag and untag keywords. For example, there can be a spe- cialized netgraph(4) node doing traffic analyzing and tagging for later inspecting in firewall. Thanks to Vadim Goncharov for some ideas and patches. PS. Patches is already in FreeBSD src tree and will be in FreeBSD 6.2-RELEASE. (C) Andrey V. Elsukov