Filter rules

linear linked list, evaluated top to bottom for each packet (unlike netfilter's chains tree)
rules contain parameters that match/mismatch a packet
rules pass or block a packet
last matching rule wins (except for 'quick', which aborts rule evaluation)
rules can create state, further state matching packets are passed without rule set evaluation