Re: [GIT]: Networking

[Linus Torvalds]

On Mon, 21 Jul 2008, David Miller wrote:

> From: Patrick McHardy <kaber@xxxxxxxxx>
> Date: Mon, 21 Jul 2008 14:05:57 +0200
> 
> > The idea was that NETFILTER_ADVANCED=n enables everything needed
> > by mainstream distributions and hides the rest. We can certainly
> > change the default for this option, but that makes NETFILTER_ADVANCED
> > pretty much useless.
> 
> A new feature cannot possibly be used by existing distributions.  I
> think that's the main gripe.

Well, if the feature really is going to be something that a _normal_ 
netfilter config needs, then it should indeed be turned on.

However, nothing in the docs imply that at all. Can you explain? Why 
should IP_NF_SECURITY be on, and why should a default netfilter table 
enable it? And if it should, WHY THE HELL IS IT DOCUMENTED THAT YOU SHOULD 
SAY 'N'?

Patrick, see my original report:

> Grr. And I quote:
> 
>         Security table (IP_NF_SECURITY) [Y/n/?] (NEW) ?
>       
>       This option adds a `security' table to iptables, for use
>       with Mandatory Access Control (MAC) policy.
>       
>       If unsure, say N.


That option as it stands now MAKES NO SENSE. Either you should say 'Y' 
(and you should explain _why_), or you should say 'N' (as documented) and 
it should damn well default to 'N' too!

		Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/