In some email I received from itojun@iijlab.net, sie wrote:
> 
> 
> >At present, the PFIL_HOOK code is somewhat confined to the ipv4 protocol.
> 
> 	netinet/{ip_fil.c,fil.c} is very IPv4 dependent.  Have you decided
> 	to tackle it?

Yes.  I am *not* attempting to do NAT for IPv6 (yet at least), just
firewalling.

[...]
> 	I believe using bpfilter (for packet capturing specification) is
> 	extensible and looks nice.  Userland configuration program would
> 	compile a BPF expression into BPF bytecode, and passes it down to
> 	the kernel as filtering expression.  BSDI4 is doing this.
> 	I would like to explore this direction but have no time for this yet...

I've had plans for that for some time.  When I get around to rewriting
some of the internals of ipfilter.  Mean time, hacks go in.  At the moment
not even hacks would work as hooks need to be placed properly..

darren