divert-packet extensions Reinjecting packets is expensive Linux' libipq queues packets and references them by id... ...which is concerning and opens up many other problems. Userland might only need the packet headers, so we don't have to send everything. divert-packet doesn't work with "match" rules. We normally only want to send the packet to userland once. But some applications (like IPS) may have multiple matching rules. Additional control messages could do the trick.