Important notices

• I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

I'm developing a plug-in that maintains a set of firewall rules for policy-based routing that depends on a MAC address of user's device. That's not a security feature, but a convenience one: all the devices are in the same L2 segment, but OPNsense might route certain traffic through VPN gateways depending on the device.

IP-based rules are not convenient in this case as the network is dual-stack and hosts might have numerous IPv6 addresses with limited lifetime.

pf supports tagging of L2 packets using the following rules:

# pfctl -s all
[...]
ETH RULES:
ether pass in on re0 from 44:85:00:f5:01:b3 l3 all tag no2tun
ether anchor "tag2tun" l3 all

The tag might be used later on in filter and nat rules. Note that ether anchor syntax differs from nat-anchor and rdr-anchor a bit, namely "-" is missing.

Describe the solution you like

I was following the idea of miniupnp plugin and considered adding an anchor for my plugin. Unfortunately, current code in OPNsense/Firewall/Plugin.php and etc/inc/filter.inc does not support anchors of ether type.

Describe alternatives you considered

The best alternative with no patches I can currently imagine is a sidecar process that parses logs for new IP addresses in the specific L2 segment, checks out arp/ndp neighbor table and updates pf table with IP addresses for the source-based routing.

Some ad-hoc cron job injecting an anchor if it's missing is another option.

Splitting the L2 segment into policy-per-vlan schema might sound like an option, but, unfortunately, it's an suboptimal option for the networks I'm managing.