Filtering
Tagging

Rules can apply a named tag to a packet
Only one tag per packet
Pass rules with tagging must be stateful
Subsequent rules can match on that tag
Bridge code can also tag packets

Allows the separation of classification and policy

