>I'm curious to know if there is a reason that the BPF interpretor in the
>kernel is not also used for security purposes.  It certainly would be
>simple enough to pair a (user-space) compiled BPF program with an action
>(e.g. ACCEPT, DISCARD, REJECT, etc) and evaluate a per-interface list of
>these programs upon packet-input.  It would be nice to be able to use pcap
>for filter expressions (symmetry with tcpdump).  I suppose it might not be
>as efficient to use BPF for this, and of course it doesn't handle NAT,
>stateful filtering etc., but I'm curious to know if there are other reasons
>not to do it.

	BSDi BSD/OS uses BPF as packet filter engine.  there's some chance
	we can make it freely-redistributable (by asking them nicely - i got
	a offer one time)

itojun