> Nice, you probably want to keep the application/kernel tag name spaces
> distinct though. Otherwise it would be easy for any local user/program
> to mess with pf.conf generated tags and bypass filtering etc. It could
> be as easy as adding a prefix ("APP_" ?) to all application generated
> tags.
>
>
> Can
>
I'm not sure if this is necessary. If a user tag his pakets via
pf.conf there is no need, so why should it be diffrent via
socketoption. However, should be there a reasson, I would recommend to
do this with kernel-tags ("KERNEL_"), or to mention a recommendation
for setting tags via setsockopt with (for example "APP_").
If I'm wrong with my thoughts, its not to hard to change that. :)
