diff --git a/include/ZeroTierOne.h b/include/ZeroTierOne.h
index 88e83a6ef..2a70417ee 100644
--- a/include/ZeroTierOne.h
+++ b/include/ZeroTierOne.h
@@ -164,6 +164,11 @@ extern "C" {
  */
 #define ZT_CLUSTER_MAX_MESSAGE_LENGTH (1500 - 48)
 
+/**
+ * Packet characteristics flag: packet direction, 1 for incoming 0 for outgoing
+ */
+#define ZT_RULE_PACKET_CHARACTERISTICS_0_INBOUND 0x0000000000000001ULL
+
 /**
  * A null/empty sockaddr (all zero) to signify an unspecified socket address
  */
diff --git a/node/Filter.cpp b/node/Filter.cpp
index 286a0144b..b8b0bd2a1 100644
--- a/node/Filter.cpp
+++ b/node/Filter.cpp
@@ -239,9 +239,10 @@ bool Filter::run(
 					thisRuleMatches = 0;
 				}
 				break;
-			case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS:
-				// TODO: not supported yet
-				break;
+			case ZT_NETWORK_RULE_MATCH_CHARACTERISTICS: {
+				uint64_t cf = (receiving) ? ZT_RULE_PACKET_CHARACTERISTICS_0_INBOUND : 0ULL;
+				thisRuleMatches = (uint8_t)((cf & rules[rn].v.characteristics[0]) == rules[rn].v.characteristics[1]);
+			}	break;
 			case ZT_NETWORK_RULE_MATCH_FRAME_SIZE_RANGE:
 				thisRuleMatches = (uint8_t)((frameLen >= (unsigned int)rules[rn].v.frameSize[0])&&(frameLen <= (unsigned int)rules[rn].v.frameSize[1]));
 				break;
diff --git a/node/IncomingPacket.cpp b/node/IncomingPacket.cpp
index aea110d5b..c2df7ee2a 100644
--- a/node/IncomingPacket.cpp
+++ b/node/IncomingPacket.cpp
@@ -36,7 +36,6 @@
 #include "World.hpp"
 #include "Cluster.hpp"
 #include "Node.hpp"
-#include "Filter.hpp"
 #include "CertificateOfMembership.hpp"
 #include "Capability.hpp"
 #include "Tag.hpp"
@@ -541,23 +540,8 @@ bool IncomingPacket::_doFRAME(const RuntimeEnvironment *RR,const SharedPtr<Peer>
 				const MAC sourceMac(peer->address(),network->id());
 				const unsigned int frameLen = size() - ZT_PROTO_VERB_FRAME_IDX_PAYLOAD;
 				const uint8_t *const frameData = reinterpret_cast<const uint8_t *>(data()) + ZT_PROTO_VERB_FRAME_IDX_PAYLOAD;
-				if (Filter::run(
-					RR,
-					network->id(),
-					peer->address(),
-					RR->identity.address(),
-					sourceMac,
-					network->mac(),
-					frameData,
-					frameLen,
-					etherType,
-					0,
-					network->config().rules,
-					network->config().ruleCount))
-				{
+				if (network->filterIncomingPacket(peer,RR->identity.address(),sourceMac,network->mac(),frameData,frameLen,etherType,0)) {
 					RR->node->putFrame(network->id(),network->userPtr(),sourceMac,network->mac(),etherType,0,(const void *)frameData,frameLen);
-				} else {
-					TRACE("dropped FRAME from %s(%s): Filter::run() == false (will still log packet as received)",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),(unsigned int)etherType,(unsigned long long)network->id());
 				}
 			}
 
@@ -600,11 +584,6 @@ bool IncomingPacket::_doEXT_FRAME(const RuntimeEnvironment *RR,const SharedPtr<P
 				const MAC to(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_TO,ZT_PROTO_VERB_EXT_FRAME_LEN_TO),ZT_PROTO_VERB_EXT_FRAME_LEN_TO);
 				const MAC from(field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_FROM,ZT_PROTO_VERB_EXT_FRAME_LEN_FROM),ZT_PROTO_VERB_EXT_FRAME_LEN_FROM);
 
-				if (to.isMulticast()) {
-					TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: destination is multicast, must use MULTICAST_FRAME",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str());
-					return true;
-				}
-
 				if ((!from)||(from.isMulticast())||(from == network->mac())) {
 					TRACE("dropped EXT_FRAME from %s@%s(%s) to %s: invalid source MAC",from.toString().c_str(),peer->address().toString().c_str(),_remoteAddress.toString().c_str(),to.toString().c_str());
 					return true;
@@ -626,23 +605,9 @@ bool IncomingPacket::_doEXT_FRAME(const RuntimeEnvironment *RR,const SharedPtr<P
 
 				const unsigned int frameLen = size() - (comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD);
 				const uint8_t *const frameData = (const uint8_t *)field(comLen + ZT_PROTO_VERB_EXT_FRAME_IDX_PAYLOAD,frameLen);
-				if (Filter::run(
-					RR,
-					network->id(),
-					peer->address(),
-					RR->identity.address(),
-					from,
-					to,
-					frameData,
-					frameLen,
-					etherType,
-					0,
-					network->config().rules,
-					network->config().ruleCount))
-				{
+
+				if (network->filterIncomingPacket(peer,RR->identity.address(),from,to,frameData,frameLen,etherType,0)) {
 					RR->node->putFrame(network->id(),network->userPtr(),from,to,etherType,0,(const void *)frameData,frameLen);
-				} else {
-					TRACE("dropped EXT_FRAME from %s(%s): Filter::run() == false (will still log packet as received)",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),(unsigned int)etherType,(unsigned long long)network->id());
 				}
 			}
 
@@ -916,25 +881,8 @@ bool IncomingPacket::_doMULTICAST_FRAME(const RuntimeEnvironment *RR,const Share
 				}
 
 				const uint8_t *const frameData = (const uint8_t *)field(offset + ZT_PROTO_VERB_MULTICAST_FRAME_IDX_FRAME,frameLen);
-				if (Filter::run(
-					RR,
-					network->id(),
-					peer->address(),
-					RR->identity.address(),
-					from,
-					to.mac(),
-					frameData,
-					frameLen,
-					etherType,
-					0,
-					network->config().rules,
-					network->config().ruleCount))
-				{
+				if (network->filterIncomingPacket(peer,RR->identity.address(),from,to.mac(),frameData,frameLen,etherType,0)) {
 					RR->node->putFrame(network->id(),network->userPtr(),from,to.mac(),etherType,0,(const void *)frameData,frameLen);
-				} else {
-					TRACE("dropped MULTICAST_FRAME from %s(%s): Filter::run() == false (will still do implicit gather)",peer->address().toString().c_str(),_remoteAddress.toString().c_str(),(unsigned int)etherType,(unsigned long long)network->id());
-					// Note: we continue here since we still do implicit gather in this case... we just do not putFrame() if it
-					// fails the filter check.
 				}
 			}