On 27/09/10 21:25, Eric Paris wrote: > I see it as having 3 options. lets assume was have a packet with > selinux sid=121 and selinux context=packet_t. We can > > 1) secmark=121 secctx=packet_t > This continues to send secmark like we do and people might continue to > be baffled by the 121. > > 2) secmark=1 secctx=packet_t > This sends a secmark field to userspace so if an application which > reads this exists (I doubt such an application actually exists in in the > real world) it will still get all of the information it got before but > noone will be baffled by what the number means. 1/0 is pretty obvious. In netlink, we can obsolete fields without breaking backward compatibility. Applications parsing the /proc entry may break, but they should use stable interfaces (like netlink) instead. BTW, if we finally stop including CTA_SECMARK in netlink messages, please add a small comment on the right of the definition in nfnetlink_conntrack.h (something like /* obsolete */ or /* unused */). Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html