lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFyQGf4sFNOVsv4krddn3gxQ=roqVHpC98-Ynx8iBqpRaQ@mail.gmail.com>
Date:	Wed, 23 Nov 2011 14:02:18 -0800
From:	Linus Torvalds <torvalds@...ux-foundation.org>
To:	Jan Engelhardt <jengelh@...ozas.de>
Cc:	David Miller <davem@...emloft.net>,
	Pablo Neira Ayuso <pablo@...filter.org>,
	Patrick McHardy <kaber@...sh.net>,
	netfilter-devel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: RAW netfilter - "advanced netfilter setting" or not?

On Wed, Nov 23, 2011 at 1:27 PM, Jan Engelhardt <jengelh@...ozas.de> wrote:
>
> In my opinion, NETFILTER_ADVANCED should be changed to only control
> the visibility of all suboptions, i.e. I suggest that "default m if
> NETFILTER_ADVANCED=n" be done for all non-deprecated modules.
> (Similar to how CONFIG_EXPERT works.)

No thank you. That makes the whole option pointless.

If you want all the modules, just hold down the 'm' key, and be done
with it. There's no skill needed, or need for NETFILTER_ADVANCED.

The whole point of NETFILTER_ADVANCED is for people like me who
actually want a fairly *minimal* kernel config, and probably one that
has no modules.

Modules are evil. They are a security issue, and they encourage a
"distro kernel" approach that takes forever to compile. Just say no.
Build a lean and mean kernel that actually has what you need, and
nothing more. And don't spend stupid time compiling modules you won't
need.

I wish we had a better way of doing a sane localized kernel. "make
localyesconfig" certainly isn't it, even if it tries. But options like
NETFILTER_ADVANCED are at least meant to lessen the pain, and not have
to wade through options that no sane person will know whether they
would ever need.

                      Linus
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ