[$] BPF comes to firewalls

The Linux kernel currently supports two separate network packet-filteringmechanisms: iptables and nftables. For the last few years, it has beengenerally assumed that nftables would eventually replace the older iptablesimplementation; few people expected that the kernel developers would,instead, add a third packet filter. But that would appear to be what ishappening with the newly announced bpfiltermechanism. Bpfilter may eventually replace both iptables and nftables, butthere are a lot of questions that will need to be answered first.