This patch add a rule action tracing feature to ipfw2.

For example, when you have too many ipfw-rules and some 
packets not pass - is not easy to determine rule which 
block these packets. This patch allow trace each matched
rule. And not needs into adding/deleting a `log' rules 
in some places.

How to use:

# ipfw add 1 count tag <SOME_TAG> <RULE_BODY>
# sysctl net.inet.ip.fw.trace_tag=<SOME_TAG>
# tail -f /var/log/security

<SOME_TAG> - some tag number
<RULE_BODY> - rule for matching needed packets

NOTE!
Do not forget to disable tracing by resetting the 
net.inet.ip.fw.trace_tag variable to zero.
Tracing can generate a lots of messages to syslogd.

(C) Andrey V. Elsukov, <bu7cher (at) yandex.ru>