--- ip_fw2.c.orig	Wed Oct 11 16:14:28 2006
+++ ip_fw2.c	Tue Oct 24 12:51:47 2006
@@ -167,6 +167,7 @@
 
 static int fw_debug = 1;
 static int autoinc_step = 100; /* bounded to 1..1000 in add_rule() */
+static uint32_t fw_trace_tag = 0;
 
 extern int ipfw_chg_hook(SYSCTL_HANDLER_ARGS);
 
@@ -183,6 +184,8 @@
     "Only do a single pass through ipfw when using dummynet(4)");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, debug, CTLFLAG_RW,
     &fw_debug, 0, "Enable printing of debug ip_fw statements");
+SYSCTL_UINT(_net_inet_ip_fw, OID_AUTO, trace_tag, CTLFLAG_RW,
+    &fw_trace_tag, 0, "Log matches tagged with specified tag packets");
 SYSCTL_INT(_net_inet_ip_fw, OID_AUTO, verbose,
     CTLFLAG_RW | CTLFLAG_SECURE3,
     &fw_verbose, 0, "Log matches to ipfw rules");
@@ -763,12 +766,14 @@
 		ipfw_insn *cmd = ACTION_PTR(f);
 		ipfw_insn_log *l = (ipfw_insn_log *)cmd;
 
+		if (cmd->opcode == O_LOG) {
 		if (l->max_log != 0 && l->log_left == 0)
 			return;
 		l->log_left--;
 		if (l->log_left == 0)
 			limit_reached = l->max_log;
 		cmd += F_LEN(cmd);	/* point to first action */
+		}
 		if (cmd->opcode == O_ALTQ) {
 			ipfw_insn_altq *altq = (ipfw_insn_altq *)cmd;
 
@@ -2148,6 +2153,7 @@
 	struct in_addr src_ip, dst_ip;		/* NOTE: network format	*/
 	u_int16_t ip_len=0;
 	int pktlen;
+	uint32_t tablearg = 0;
 
 	/*
 	 * dyn_dir = MATCH_UNKNOWN when rules unchecked,
@@ -2457,7 +2463,6 @@
 	 */
 	for (; f; f = f->next) {
 		ipfw_insn *cmd;
-		uint32_t tablearg = 0;
 		int l, cmdlen, skip_or; /* skip rest of OR block */
 
 again:
@@ -3078,6 +3083,14 @@
 			 *   further instances of these opcodes are
 			 *   effectively NOPs.
 			 */
+#define TRACE_ACTION	do { \
+	if (fw_trace_tag > 0 && \
+	    m_tag_locate(m, MTAG_IPFW, fw_trace_tag, NULL) != NULL) {\
+		ipfw_log(f, hlen, args, m,  \
+		    oif, offset, tablearg); \
+	} \
+} while(0)
+
 			case O_LIMIT:
 			case O_KEEP_STATE:
 				if (install_state(f,
@@ -3173,12 +3186,15 @@
 				f->pcnt++;	/* update stats */
 				f->bcnt += pktlen;
 				f->timestamp = time_uptime;
-				if (cmd->opcode == O_COUNT)
+				if (cmd->opcode == O_COUNT) {
+					TRACE_ACTION;
 					goto next_rule;
+				}
 				/* handle skipto */
 				if (f->next_rule == NULL)
 					lookup_next_rule(f);
+				TRACE_ACTION;
 				f = f->next_rule;
 				goto again;
 
 			case O_REJECT:
@@ -3270,6 +3286,7 @@
 	return (IP_FW_DENY);
 
 done:
+	TRACE_ACTION;
 	/* Update statistics */
 	f->pcnt++;
 	f->bcnt += pktlen;