I prefer the approach like the BSDI firewall kit where you install filter expressions into the kernel. Yes, and I would go further and say that it should use the existing bpf filter mechanism, to avoid duplicating code. If it needs to be extended, then so be it.