I just noticed that the IPsec auditing code does not appear to audit the netmask for the selector source and destination addresses in xfrm_audit_common_policyinfo(). Before I threw a patch together I thought I would check to see if there was a reason for this that I am missing ... -- paul moore linux security @ hp