Upon reading that patent a bit more thoroughly, I retract the comment about BPF being prior art - the virtual machine aspect is claimed as a detail, and not the main claim of the patent.
The main claim seems to be, if I understand correctly, a method (not much detailled) to take a high level "security policy" description given by an administrator, and computing from that, given knowledge about network topology and objects, detailled configuration information (called packet filter rules) for the network filtering components. netfilter and iptables do not operate on such a high level. If you plan to develop a product providing such a method, the patent may be applicable to your product. But now I'm very sure that iptables and netfilter are not within the patent's claim's scope. I still don't see where the patent is concerned with 'stateful inspection'. best regards Patrick
