Patrick McHardy wrote: > Well, the point of the avanced option is to handle *advanced* > cases, so we don't need to cover manual adjustments (including > things like shorewall which are usually installed manually). The > default cases for people not having touched their *firewall* > configuration is enough. I wasn't able to find the SuSE-script, > but from a screenshot I could see that they do optionally handle > IPsec. So what I'm saying is that we should include f.i. the policy > match, and all other modules needed without manually attending > to the firewall, but nothing more. > > IOW, its for people like Linus, presumably not touching their > default configuration, but unwilling to go through the 50+ > options to decide themselves. > > For people who want to compile-test them all (like me), we > still can have a CONFIG_NETFILTER_ALL option hidden under > CONFIG_NETFILTER_ADVANCED for simplicity, but that is a > different topic. CONFIG_NETFILTER_ALL sounds great. So why not have CONFIG_NETFILTER_MIN for a minimal setup, which would only select: targets: NOTRACK, MASQ, REJECT, LOG matches: state, mport Then let the user select any additional modules, like IPsec/policy or FTP/helpers. Thanks! -- Al - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html