The Current System

input filtering and redirect to local ports
forward filtering and masquerading
output filtering

1. Can register a set of three hooks.
2. Hooks can return FW_BLOCK, FW_ACCEPT, FW_REJECT, FW_REDIRECT, FW_MASQUERADE or FW_SKIP.
3. The next hook on that hook point only called if FW_SKIP returned.
4. Hooks get ordered by numerical "preference".