In some email I received from Charles M. Hannum, they wrote:
> 
> 
>    Firstly, I don't see why changing the filtering rules currently in
>    use should require you to reload the entire ruleset.  To change a
>    single rule then requires you to `disconnect' from the network
>    (ifconfig down), remove the BPF rules, load a new set, and ifconfig
>    up.
> 
> Those two statements are unrelated.  The ability to install a new
> filter program is quite distinct from the actual mechanics of
> uploading the program to the kernel.  I don't see why it should ever
> be necessary to turn the network interface off.

To stop packets you might otherwise wish to allow/disallow from passing
through whilst there are no filtering rules loaded ?  Whist it isn't
strictly necessary, if you care enough about your filtering, then if
you have to remove them all, you don't want any packets passing which
might otherwise be acted upon.  Of course, this assumes that by default
packets are being allowed through.

I guess if you wanted, you could allow for two "programs" to be resident
in memory (for BPF) for both input and output, on each interface (total
of 8 for a dual interface "firewall" host) and switch between the two.
(I assume this is what you are getting at above).  So long as it was
possible to support this, it'd alleviate the problem.

darren