bpf(4) problems


BPF is a subsystem of its own

It bypasses the network stack
tapping packets directly in the driver transmit/receive hooks.

It does not plug into PF
Userland has to handle IP fragments and TCP reassembly.
Which is hard to do right.

Legacy software and specific use cases only
Ports (Snort), dhcpd/dhclient, hostapd, tcpdump