=== Ethernet support for pf Links: + link:https://github.com/kprovost/freebsd-src/tree/netgate/pf-link[pf-link in-progress tree] URL: link:https://github.com/kprovost/freebsd-src/tree/netgate/pf-link[https://github.com/kprovost/freebsd-src/tree/netgate/pf-link] Work is ongoing to add basic support for Ethernet filtering to pf. This will allow layer 2 addresses to be used to tag packets for subsequent filtering or shaping in the existing pf code. The layer 2 code is strictly stateless. The intended use case for this is to improve pf's capabilities in captive portal setups (i.e. allow/deny internet access based on client MAC addresses). TODO: * (optional) anchor support * move nvlist interface code into libpfctl * audit nvlist code for bugs (several bugs were found in the recent nvlist alternatives to existing ioctl calls) * (optional) VLAN ID filtering * (optional) MAC address table support While this work is incomplete, feedback on architecture and functionality is welcomed. Sponsor: Rubicon Communications, LLC ("Netgate")