If BPF can be used to modify packets, can a filter be used to send packets through loopback that then come back through the same filter? Sounds like a way to bootstrap a loop.
Actually you could have stateful loops too. Make each packet duplicated at iptables and each time increment the counter. Send one to 127.0.0.1 (true, continue) and one to 127.0.0.2 (false, stop). The right answer is accepted, wrong dropped.
Actually you could have stateful loops too. Make each packet duplicated at iptables and each time increment the counter. Send one to 127.0.0.1 (true, continue) and one to 127.0.0.2 (false, stop). The right answer is accepted, wrong dropped.