> Hey
>
> so now I changed the tagging from tcp_output to ip_output.
> I also put an pf_tag_unref to so_free and sosetopt (in case that there
> is allready a tag set).
> I couldn't see a reason for a pf_tag_unref in the so_accept because
> the socket could be reused.
> Thanks to Henning for the ideas!
> Any further ideas ? I'm in a good run :)
Nice, you probably want to keep the application/kernel tag name spaces
distinct though. Otherwise it would be easy for any local user/program
to mess with pf.conf generated tags and bypass filtering etc. It could
be as easy as adding a prefix ("APP_" ?) to all application generated
tags.
Can
