Filtering Tagging Rules can apply a named tag to a packet Only one tag per packet Pass rules with tagging must be stateful Subsequent rules can match on that tag Bridge code can also tag packets Allows the separation of classification and policy