I have an network interface $dev which already had a BPF filter attached to a special qdisc ingress (with pref 1 and direct-action). I have added another one (with pref 2). tc filter show dev $dev ingress reports the following:
filter protocol all pref 1 bpf chain 0
filter protocol all pref 1 bpf chain 0 handle 0x1 some.o:[some-section] direct-action \
not_in_hw id ... tag ... jited
filter protocol all pref 2 bpf chain 1
filter protocol all pref 2 bpf chain 1 handle 0x1 other.o:[other-section] \
not_in_hw id ... tag ... jited
What is the relationship between chained filters in such a case: Will the secondary one (i.e. mine) always see the same traffic as the first or does it depend on what the first one has returned, esp. given that it uses direct-action? I suspect the second is true but am not yet certain.
What the second BPF programs in the chain sees depends on what the first returns. You can read that logic in cls_bpf_classify().