[$] Early packet drop — and more — with BPF

The Berkeley packet filter (BPF) mechanismhas been working its way into various kernel subsystems since it wasrewritten and extended in 2014. There is, it turns out, great value in anin-kernel virtual machine that allows for the implementation of arbitrarypolicies without writing kernel code. A recent patch set pushing BPF intonetworking drivers shows some of the potential of this mechanism - and thedifficulty of designing its integration in a way that will stand the testof time. If it is successful, it may change the way high-performancenetworking is done on Linux systems.