| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Jul 2008 22:33:18 +0200
From: Patrick McHardy <kaber@...sh.net>
To: Linus Torvalds <torvalds@...ux-foundation.org>
CC: David Miller <davem@...emloft.net>, jmorris@...ei.org,
akpm@...ux-foundation.org, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [GIT]: Networking
Linus Torvalds wrote:
>> From: Patrick McHardy <kaber@...sh.net>
>> Date: Mon, 21 Jul 2008 14:05:57 +0200
>>
>>> The idea was that NETFILTER_ADVANCED=n enables everything needed
>>> by mainstream distributions and hides the rest. We can certainly
>>> change the default for this option, but that makes NETFILTER_ADVANCED
>>> pretty much useless.
>> A new feature cannot possibly be used by existing distributions. I
>> think that's the main gripe.
>
>
> Well, if the feature really is going to be something that a _normal_
> netfilter config needs, then it should indeed be turned on.
As I said, I don't know whether its needed, but judging by James'
response, its going to be needed for a regular FC installation.
Its not needed today of course, so the attached patch changes it
to depend on NETFILTER_ADVANCED and removes the default.
> However, nothing in the docs imply that at all. Can you explain? Why
> should IP_NF_SECURITY be on, and why should a default netfilter table
> enable it? And if it should, WHY THE HELL IS IT DOCUMENTED THAT YOU SHOULD
> SAY 'N'?
I think I'll just change all the help texts for options having
different defaults with NETFILTER_ADVANCED=n to say "If unsure,
choose the default" to remove the contradictions we'd otherwise
always have.
View attachment "x" of type "text/plain" (1099 bytes)
Powered by blists - more mailing lists