Subject: Re: RAW netfilter - "advanced netfilter setting" or not?
Date: Wednesday 23rd November 2011 22:02:18 UTC (over 5 years ago)
On Wed, Nov 23, 2011 at 1:27 PM, Jan Engelhardt <[email protected]> wrote: > > In my opinion, NETFILTER_ADVANCED should be changed to only control > the visibility of all suboptions, i.e. I suggest that "default m if > NETFILTER_ADVANCED=n" be done for all non-deprecated modules. > (Similar to how CONFIG_EXPERT works.) No thank you. That makes the whole option pointless. If you want all the modules, just hold down the 'm' key, and be done with it. There's no skill needed, or need for NETFILTER_ADVANCED. The whole point of NETFILTER_ADVANCED is for people like me who actually want a fairly *minimal* kernel config, and probably one that has no modules. Modules are evil. They are a security issue, and they encourage a "distro kernel" approach that takes forever to compile. Just say no. Build a lean and mean kernel that actually has what you need, and nothing more. And don't spend stupid time compiling modules you won't need. I wish we had a better way of doing a sane localized kernel. "make localyesconfig" certainly isn't it, even if it tries. But options like NETFILTER_ADVANCED are at least meant to lessen the pain, and not have to wade through options that no sane person will know whether they would ever need. Linus -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html