Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Linus Torvalds <torvalds <at> linux-foundation.org>
Subject: Re: RAW netfilter - "advanced netfilter setting" or not?
Newsgroups: gmane.comp.security.firewalls.netfilter.devel
Date: Wednesday 23rd November 2011 22:02:18 UTC (over 5 years ago)
On Wed, Nov 23, 2011 at 1:27 PM, Jan Engelhardt <[email protected]> wrote:
>
> In my opinion, NETFILTER_ADVANCED should be changed to only control
> the visibility of all suboptions, i.e. I suggest that "default m if
> NETFILTER_ADVANCED=n" be done for all non-deprecated modules.
> (Similar to how CONFIG_EXPERT works.)

No thank you. That makes the whole option pointless.

If you want all the modules, just hold down the 'm' key, and be done
with it. There's no skill needed, or need for NETFILTER_ADVANCED.

The whole point of NETFILTER_ADVANCED is for people like me who
actually want a fairly *minimal* kernel config, and probably one that
has no modules.

Modules are evil. They are a security issue, and they encourage a
"distro kernel" approach that takes forever to compile. Just say no.
Build a lean and mean kernel that actually has what you need, and
nothing more. And don't spend stupid time compiling modules you won't
need.

I wish we had a better way of doing a sane localized kernel. "make
localyesconfig" certainly isn't it, even if it tries. But options like
NETFILTER_ADVANCED are at least meant to lessen the pain, and not have
to wade through options that no sane person will know whether they
would ever need.

                      Linus
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
 
CD: 2ms