The "chain" already exists.  DVFilter, sw-sec, and VMware-sfw (which is the Distributed Firewall) operate in that chain in slots 0-3.  3rd party products integrate into slots 4-11.  New 3rd party services typically leverage security tags, security groups and security policies, available in NSX's Security Composer, to define the traffic which which the service will be applied.  Changes to assignment of security tags, membership of security groups, and associated policies take effect immediately upon application, without the need to restart the traffic flow.