Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752738AbYGURkq (ORCPT ); Mon, 21 Jul 2008 13:40:46 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751555AbYGURkd (ORCPT ); Mon, 21 Jul 2008 13:40:33 -0400 Received: from smtp1.linux-foundation.org ([140.211.169.13]:60632 "EHLO smtp1.linux-foundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751426AbYGURkb (ORCPT ); Mon, 21 Jul 2008 13:40:31 -0400 Date: Mon, 21 Jul 2008 10:40:24 -0700 (PDT) From: Linus Torvalds To: David Miller cc: kaber@trash.net, jmorris@namei.org, akpm@linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [GIT]: Networking In-Reply-To: <20080721.102852.124418551.davem@davemloft.net> Message-ID: References: <4883E465.4050405@trash.net> <48847BA5.2020600@trash.net> <20080721.102852.124418551.davem@davemloft.net> User-Agent: Alpine 1.10 (LFD 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1548 Lines: 45 On Mon, 21 Jul 2008, David Miller wrote: > From: Patrick McHardy > Date: Mon, 21 Jul 2008 14:05:57 +0200 > > > The idea was that NETFILTER_ADVANCED=n enables everything needed > > by mainstream distributions and hides the rest. We can certainly > > change the default for this option, but that makes NETFILTER_ADVANCED > > pretty much useless. > > A new feature cannot possibly be used by existing distributions. I > think that's the main gripe. Well, if the feature really is going to be something that a _normal_ netfilter config needs, then it should indeed be turned on. However, nothing in the docs imply that at all. Can you explain? Why should IP_NF_SECURITY be on, and why should a default netfilter table enable it? And if it should, WHY THE HELL IS IT DOCUMENTED THAT YOU SHOULD SAY 'N'? Patrick, see my original report: > Grr. And I quote: > > Security table (IP_NF_SECURITY) [Y/n/?] (NEW) ? > > This option adds a `security' table to iptables, for use > with Mandatory Access Control (MAC) policy. > > If unsure, say N. That option as it stands now MAKES NO SENSE. Either you should say 'Y' (and you should explain _why_), or you should say 'N' (as documented) and it should damn well default to 'N' too! Linus -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/