The ipf routines expect an IP packet to be passed to them, but the bridge operates in terms of ethernet frames. The ethernet header is examined to determine whether the frame contains an IP packet. Since there are two possible encapsulation methods for IP over ethernet, both must be examined and the appropriate amount of header information must be copied and removed from the frame, leaving the IP data intact. The resulting packet is passed to ipf, which either drops the packet or returns it. Packets that are not filtered have their ethernet headers re-attached and are finally forwarded as determined by the bridge. Using this approach, we avoided having to modify ipf code at all.