Filter rules

linear linked list, evaluated top to bottom for each packet (unlike netfilter's chains tree)
rules contain parameters that match/mismatch a packet
rules pass or block a packet
last matching rule wins (unlike other filters), optional 'quick' aborts evaluation, any policy can be expressed either way (personal preference)
rules can create state, further state matching packets are passed without rule set evaluation