> The earlier poster (Jason) is right: this *is* the way a firewall > should work -- spend your time on implementing the security policy and > let the 'compiler' worry about efficiency. But since the others don't, > it might be a good idea to go into this at some length.
Since it just does what a good system should do, what is there to go into "at length" about? Yes, other systems taught you to hand-optimise. How do we go into "don't do hand optimization" at length? It is a manual page, not a howto.