> We are seeking opinions.
nfmark has the advantage that the routing code knows about it and can manage
the destination cache based on it (very useful for pmtu management)
security is basically on its way out; it was for a never completely merged
ipsec implementation from the fi/sinus firewalls guys and is largely bitrotted
now (e.g. a lot of stack modules won't maintain it correctly anymore and
probably never have)
If you wanted to use it you would need to fix it first.
->cb is free for your use as long as you have the skb queued privately,
but it'll be destroyed as soon as you give it away. I don't understand
your 64k comment.
I would recommend to use nfmark. as far as I can see you'll need destination
cache support anyways, and it gets you that for free.