The Smack implementation of netfilter abuses the underlying mechanisms in that it re-uses the SELinux netfilter ID in the user-space specifications. This works because there is no ambiguity when only one security module is in use. With module stacking it will be possible to have both Smack and SELinux netfilter rules. This will require that Smack be "fixed" to use the mechanism in the way it was intended, and with a different ID than SELinux. I believe that it will be possible to make the changes backward compatible, so that a system without complete stacking will work the way it does today. In the long term, however, Smack user-space will have to move to using Smack's ID.