Iptables rules are bound to the port instead of blocking on the protocol stack.

Is it necessary to redesign the HOOK Point Location of Netfilter? Undoubtedly, this is meaningless because you cannot prove that the new solution is better. You may just look at the solution of another platform, which is different from the Netfilter solution. In fact, I am such a person.
The Cisco ACL can be compiled on the port. In fact, the network port role of the Cisco device can be defined. The concept of Linux is completely different from this, linux Kernel considers role-defining as the responsibility of the user State. To implement a complete data packet interception mechanism that does not depend on the user State configuration, it must be intercepted on the protocol stack path. In other words, Netfilter completely blocks and processes data packets based on skb itself. This can be seen from the NF_HOOK macro parameter, but you can see that Netfilter has two net_device parameters, based on this, we can follow the Cisco device method to bind the rule to the device. This is advantageous and can greatly improve the efficiency. For example, if you have configured 10000 rules, if there are packets from unrelated network port Devices, these packets do not need to be filtered by iptables rules.
Few items need to be modified. Here, only ipt_hook modifications are provided:

Static unsigned intipt_hook (unsigned int hook, struct sk_buff * skb, const struct net_device * in, const struct net_device * out, int (* okfn) (struct sk_buff *)) {struct netns_table_per_dev {struct list_head list; struct net_device * dev; struct xt_table * table;}; // dev_net (in)-> ipv4.iptable _ filter is no longer an xt_table, instead, it is a list struct wrap_table {struct list_head * tb_list;}; struct xt_table * table; struct * table_dev; struct list_head * pos; struct wrap_table * tb_list = (struct wrap_table *) dev_net (in)-> ipv4.iptable _ filter; list_for_each (pos, tb_list-> tb_list) {table_dev = list_entry (pos, struct netns_table_per_dev, dev ); if (table_dev-> dev = in) {table = table_dev-> table;} if (table = NULL) {return NF_ACCEPT;} return ipt_do_table (skb, hook, in, out, table );}

One is intercept on the protocol stack, and the other is intercept on the device. The operation is a little too big, subverting the existing concept and wondering if there will be any sequelae.
In any case, you cannot get lost.