From: Steve Wise <redacted>
Date: Wed, 05 Jul 2006 12:50:34 -0500

However, iWARP devices _could_ integrate with netfilter.  For most
devices the connection request event (SYN) gets passed up to the host
driver.  So the driver can enforce filter rules then.

This doesn't work.  In order to handle things like NAT and connection
tracking properly you must even allow ESTABLISHED state packets to
pass through netfilter.

Netfilter can have rules such as "NAT port 200 to 300, leave the other
fields alone" and your suggested scheme cannot handle this.