Re: RAW netfilter - "advanced netfilter setting" or not?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 23.11.2011 20:45, Linus Torvalds wrote:
> So I'm the one who long ago asked for some of the more esoteric
> netfilter configuration questions to be hidden behind some "advanced"
> question, and thus the reason why a lot of them are behind that
> NETFILTER_ADVANCED Kconfig setting.
> 
> However, I'm now trying OpenSUSE on one of my laptops, and it looks
> like the RAW filter is used by the default OS iptables setup. The fact
> that it is hidden behind NETFILTER_ADVANCED now means that I either
> have to enable the advanced netfilter Kconfig questions, or we should
> just remove the "depends on NETFILTER_ADVANCED" for the RAW case (or,
> rather - caseS - since there's a separate raw filter for ipv4 and
> ipv6, which sounds odd in itself, but that's another issue entirely)
> 
> My gut feel is that if it's one of the filters that a major distro
> depends on by default, it should no longer be hidden.

Agreed, the main point was to enable everything used by major
distributions by default (default m if NETFILTER_ADVANCED=n)
and hide everything else.

> But honestly, I
> didn't look at *why* OpenSUSE uses that filter. Maybe it's just doing
> something really odd and crazy.

Most likely they're using NOTRACK to avoid connection tracking for
some traffic. Could you post the output of "iptables -t raw -vxnL"?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux