=== Ethernet support for pf

Links: +
link:https://github.com/kprovost/freebsd-src/tree/netgate/pf-link[pf-link in-progress tree] URL: link:https://github.com/kprovost/freebsd-src/tree/netgate/pf-link[https://github.com/kprovost/freebsd-src/tree/netgate/pf-link]

Work is ongoing to add basic support for Ethernet filtering to pf.

This will allow layer 2 addresses to be used to tag packets for subsequent filtering or shaping in the existing pf code. The layer 2 code is strictly stateless.

The intended use case for this is to improve pf's capabilities in captive portal setups (i.e. allow/deny internet access based on client MAC addresses).

TODO:

* (optional) anchor support
* move nvlist interface code into libpfctl
* audit nvlist code for bugs (several bugs were found in the recent nvlist alternatives to existing ioctl calls)
* (optional) VLAN ID filtering
* (optional) MAC address table support

While this work is incomplete, feedback on architecture and functionality is welcomed.

Sponsor: Rubicon Communications, LLC ("Netgate")