If you had spare network ports you could take the incoming feed, bridge it to another port (filtering statelessly and if-bound), then loopback the second port to a third port and do the normal filtering there...
I wonder if it would be possible to do similar with bridge+vether, iirc Reyk posted a diff a while ago which allowed some kind of internal crossconnect between devices which might be useful for such a thing. It's all rather messy, though given what you're trying to do, a certain degree of mess is expected ;).