Re: CONFIG_NETFILTER_ADVANCED

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Patrick McHardy wrote:
> Well, the point of the avanced option is to handle *advanced*
> cases, so we don't need to cover manual adjustments (including
> things like shorewall which are usually installed manually). The
> default cases for people not having touched their *firewall*
> configuration is enough. I wasn't able to find the SuSE-script,
> but from a screenshot I could see that they do optionally handle
> IPsec. So what I'm saying is that we should include f.i. the policy
> match, and all other modules needed without manually attending
> to the firewall, but nothing more.
>
> IOW, its for people like Linus, presumably not touching their
> default configuration, but unwilling to go through the 50+
> options to decide themselves.
>
> For people who want to compile-test them all (like me), we
> still can have a CONFIG_NETFILTER_ALL option hidden under
> CONFIG_NETFILTER_ADVANCED for simplicity, but that is a
> different topic.

CONFIG_NETFILTER_ALL sounds great.  So why not have CONFIG_NETFILTER_MIN for 
a minimal setup, which would only select:

  targets: NOTRACK, MASQ, REJECT, LOG
  matches: state, mport

Then let the user select any additional modules, like IPsec/policy or 
FTP/helpers.


Thanks!

--
Al

-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux