Hello,

I'm curious to know if there is a reason that the BPF interpretor in the
kernel is not also used for security purposes.  It certainly would be
simple enough to pair a (user-space) compiled BPF program with an action
(e.g. ACCEPT, DISCARD, REJECT, etc) and evaluate a per-interface list of
these programs upon packet-input.  It would be nice to be able to use pcap
for filter expressions (symmetry with tcpdump).  I suppose it might not be
as efficient to use BPF for this, and of course it doesn't handle NAT,
stateful filtering etc., but I'm curious to know if there are other reasons
not to do it.

cheers,
-bp
--
# Software Engineer