I'm curious if the performance and simplicity of this isn't the same as creating a virtual interface and bridging it to your real interface and then simply setting all the rules on that virtual interface. Then your service just binds to that virtual interface and everything simply looks the same as any other virtual network.