Network stacks have traditionally been a part (a large part, in fact)
of Unix kernels. Their structure is outside the scope of this course,
but we looked at a few sketches of how they work. For more,
"Understanding Linux Network Internals" by  Christian Benvenuti is
a good source; also, search online for Linux network internals tutorials.

The Berkeley Packet Filter:
http://www.tcpdump.org/papers/bpf-usenix93.pdf
(try "tcpdump -d " for bytecode corresponding to various filters;
see https://blog.cloudflare.com/bpf-the-forgotten-bytecode/ for
how BPF is used in their business.)

The Linux IPtables/Netfilter system:
We looked at the overview slides 5--9 for Netfilter in Joanna Rutkowska's
http://www.cs.dartmouth.edu/~sergey/netreads/joanna-rutkowska-passive-covert-channels-slides.pdf
(see also http://www.cs.dartmouth.edu/~sergey/netreads/joanna-rutkowska-passive-covert-channels-paper.pdf
for how she used it to create a covert channel in the Linux protocol stack).

Netfilter is a marvellous piece of systems architecture. Start with
http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html
and read through
http://www.netfilter.org/documentation/HOWTO//networking-concepts-HOWTO.html
http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html and 
http://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO.html in
http://www.netfilter.org/documentation/ (which has many more tutorials and links).

In a nutshell, thanks to Netfilter (and the IPRoute2 package) your
Linux box is already an advanced router, a firewall, and a
traffic-analysis appliance. It is limited only by its commodity
networking hardware; expensive $10K+ professional gear can handle more
packets per second, but may, in fact, offer fewer packet-handling
features.