Re: [GIT]: Networking

From: Patrick McHardy
Date: Mon Jul 21 2008 - 16:33:37 EST

Next message: Ben Collins: "Re: ACPI: ACPI_CUSTOM_DSDT_INITRD option"
Previous message: Larry Finger: "Re: [crash] BUG: unable to handle kernel NULL pointer dereferenceat 0000000000000370"
In reply to: Linus Torvalds: "Re: [GIT]: Networking"
Next in thread: David Miller: "Re: [GIT]: Networking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Linus Torvalds wrote:

From: Patrick McHardy <kaber@xxxxxxxxx>
Date: Mon, 21 Jul 2008 14:05:57 +0200

The idea was that NETFILTER_ADVANCED=n enables everything needed
by mainstream distributions and hides the rest. We can certainly
change the default for this option, but that makes NETFILTER_ADVANCED
pretty much useless.

A new feature cannot possibly be used by existing distributions. I
think that's the main gripe.

Well, if the feature really is going to be something that a _normal_ netfilter config needs, then it should indeed be turned on.

As I said, I don't know whether its needed, but judging by James'
response, its going to be needed for a regular FC installation.

Its not needed today of course, so the attached patch changes it
to depend on NETFILTER_ADVANCED and removes the default.

However, nothing in the docs imply that at all. Can you explain? Why should IP_NF_SECURITY be on, and why should a default netfilter table enable it? And if it should, WHY THE HELL IS IT DOCUMENTED THAT YOU SHOULD SAY 'N'?

I think I'll just change all the help texts for options having
different defaults with NETFILTER_ADVANCED=n to say "If unsure,
choose the default" to remove the contradictions we'd otherwise
always have.

netfilter: make security table depend on NETFILTER_ADVANCED

Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index f23e60c..90eb7cb 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -369,7 +369,7 @@ config IP_NF_SECURITY
tristate "Security table"
depends on IP_NF_IPTABLES
depends on SECURITY
- default m if NETFILTER_ADVANCED=n
+ depends on NETFILTER_ADVANCED
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 689dec8..0cfcce7 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -213,7 +213,7 @@ config IP6_NF_SECURITY
tristate "Security table"
depends on IP6_NF_IPTABLES
depends on SECURITY
- default m if NETFILTER_ADVANCED=n
+ depends on NETFILTER_ADVANCED
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.

Next message: Ben Collins: "Re: ACPI: ACPI_CUSTOM_DSDT_INITRD option"
Previous message: Larry Finger: "Re: [crash] BUG: unable to handle kernel NULL pointer dereferenceat 0000000000000370"
In reply to: Linus Torvalds: "Re: [GIT]: Networking"
Next in thread: David Miller: "Re: [GIT]: Networking"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]