Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > > There is the skb extension infra, does that work for you? > > I was hopeful that when the skb_ext capability was introduced we might > be able to use it for the LSM(s), but when I asked netdev if they > would be willing to accept patches to leverage the skb_ext > infrastructure I was told "no". I found https://lore.kernel.org/netdev/CAHC9VhSz1_KA1tCJtNjwK26BOkGhKGbPT7v1O82mWPduvWwd4A@xxxxxxxxxxxxxx/#r and from what I gather from your comments and that of Casey I think skb extensions is the correct thing for this (i.e., needs netlabel/secid config/enablement so typically won't be active on a distro kernel by default). It certainly makes more sense to me than doing lookups in a hashtable based on a ID (I tried to do that to get rid of skb->nf_bridge pointer years ago and it I could not figure out how to invalidate an entry without adding a new skb destructor callback).
