One more thing to add to this, when working with another bpf filter which is relatively similar to this simple one (although has some more innocuous looking code like map lookups and read-only operations on the skb) sometimes the attached is suddenly and repeatedly sent to both syslog and kern.log until the disk fills up...