I was measuring bridging/routing performance and noticed this.
The current code runs the "all packet" type handlers before calling the
bridge hook. If an application (like some DHCP clients) is using AF_PACKET,
this means that each received packet gets run through the Berkeley Packet Filter
code in sk_run_filter (slow).
By moving the bridging hook to run first, the packets flowing through
the bridge get filtered out there. This results in a 14%
improvement in performance, but it does mean that some snooping applications
would miss packets if being used on a bridge. The correct way to see all
packets on a bridge is to set the bridge pseudo-device to promiscuous