Hi, guys! I have a question regarding the use of check_ack() in audit_send(). Every message sent from auditd to the kernel through audit_send() is flagged with NLM_F_ACK. That flag tells the kernel to reply with an ACK, which will then be expected to be read by check_ack(), right after audit_send's call to sendto(). check_ack() just attempts to read nonblocking and, if it succeeds doing so, it's guaranteed that the kernel received our message. However, since netlink is a connectionless socket, once cannot infer that the lack of an ACK means that the kernel didn't receive that message. Similarly, in a very stressed system, one can just get -ENOBUFS when attempting to get a reply, even though sendto() succeeded sending the original message. So, at least in a scenario where Audit is a key component and performance matters, wouldn't it make sense to just remove NLM_F_ACK from outgoing messages and just let audit_send() use the return value from sendto() to tell if the message has been sent instead? I'm planning to test this change in a pretty I/O intensive server over the next week, but I'd really like to hear your comments on this before I proceed. Thank you very much! Lucas