New operators for rules

Hello, Dustin and I were talking about how to represent some new operators for writing audit rules. I am interested in seeing >, <, and range added at a minimum. The question came up as to how to fit this into the existing audit_rule structure. This is what we currently have: struct audit_rule { /* for AUDIT_LIST, AUDIT_ADD, and AUDIT_DEL */ __u32 flags; /* AUDIT_PER_{TASK,CALL}, AUDIT_PREPEND */ __u32 action; /* AUDIT_NEVER, AUDIT_POSSIBLE, AUDIT_ALWAYS */ __u32 field_count; __u32 mask[AUDIT_BITMASK_SIZE]; __u32 fields[AUDIT_MAX_FIELDS]; __u32 values[AUDIT_MAX_FIELDS]; }; The fields member currently uses the msb to determine whether its = or !=. #define AUDIT_NEGATE 0x80000000 I was wondering if we should go ahead and map the other operators into the other high bits. We are currently only using the lower 4 bits of the u32 word so we have plenty of room. We have to do this in a way that is backward compatible for old kernels. Any ideas? Any preferred bit patterns? Also, we have the issue of needing to send 2 values for a range operator. How should we make the kernel understand this? Or should we create a new message type for adding, listing, and deleting rules that we can expand the idea of operators for and use the current one for legacy compatibility? Need some ideas from the kernel hackers.... -Steve