The Filtering Module (Cont.) For each system call, 2 sets of rules are kept - 'before' rules, and 'after' rules. 'before' rules are checked right before invoking the system call. Thus, they could be used to disallow the syscall from being executed, or even alter parameters sent to the system call. 'after' rules are checked right after the syscall returns, and before returning to the user. They allow checking and logging the syscall's return value, altering this return value, and so on.