On Nov 18 2007 03:19, Patrick McHardy wrote: >> >> SUSE: >> >> DNAT LOG MARK MASQUERADE REDIRECT REJECT TCPMSS esp >> icmp icmpv6 limit pkttype policy >> state tcp udp > > Thanks. Any RH/Fedora users? > >> But - surprise, surprise - it allows to load a file of custom rules, >> so that basically means {ipt,ip6t,xt}_*, aka allmodconfig, like I said! >> :) > > Well, the point of the avanced option is to handle *advanced* > cases, so we don't need to cover manual adjustments (including > things like shorewall which are usually installed manually). Well even in "manual installations", I prefer to compile one kernel for all hosts of the same arch I am ever going to work with, because it takes its time, and time is precious when the number of hosts grows towards +Infinity. > The > default cases for people not having touched their *firewall* > configuration is enough. I wasn't able to find the SuSE-script, Unpack http://download.opensuse.org/distribution/SL-OSS-factory/inst-source/suse/src/SuSEfirewall2-3.6_SVNr183-15.src.rpm look into sbin/SuSEfirewall2. > but from a screenshot I could see that they do optionally handle > IPsec. So what I'm saying is that we should include f.i. the policy > match, ...which I listed above... > and all other modules needed without manually attending > to the firewall, but nothing more. > > IOW, its for people like Linus, presumably not touching their > default configuration, but unwilling to go through the 50+ > options to decide themselves. > > For people who want to compile-test them all (like me), we > still can have a CONFIG_NETFILTER_ALL option hidden under > CONFIG_NETFILTER_ADVANCED for simplicity, but that is a > different topic. > For compile-testing, allmodconfig is sufficient IMO. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html