From mboxrd@z Thu Jan 1 00:00:00 1970 From: Patrick McHardy Subject: Re: RAW netfilter - "advanced netfilter setting" or not? Date: Wed, 23 Nov 2011 20:58:33 +0100 Message-ID: <4ECD5069.4090106@trash.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 7bit Cc: David Miller , Pablo Neira Ayuso , netfilter-devel@vger.kernel.org, netdev@vger.kernel.org To: Linus Torvalds Return-path: Received: from stinky.trash.net ([213.144.137.162]:59562 "EHLO stinky.trash.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750990Ab1KWT6h (ORCPT ); Wed, 23 Nov 2011 14:58:37 -0500 In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: On 23.11.2011 20:45, Linus Torvalds wrote: > So I'm the one who long ago asked for some of the more esoteric > netfilter configuration questions to be hidden behind some "advanced" > question, and thus the reason why a lot of them are behind that > NETFILTER_ADVANCED Kconfig setting. > > However, I'm now trying OpenSUSE on one of my laptops, and it looks > like the RAW filter is used by the default OS iptables setup. The fact > that it is hidden behind NETFILTER_ADVANCED now means that I either > have to enable the advanced netfilter Kconfig questions, or we should > just remove the "depends on NETFILTER_ADVANCED" for the RAW case (or, > rather - caseS - since there's a separate raw filter for ipv4 and > ipv6, which sounds odd in itself, but that's another issue entirely) > > My gut feel is that if it's one of the filters that a major distro > depends on by default, it should no longer be hidden. Agreed, the main point was to enable everything used by major distributions by default (default m if NETFILTER_ADVANCED=n) and hide everything else. > But honestly, I > didn't look at *why* OpenSUSE uses that filter. Maybe it's just doing > something really odd and crazy. Most likely they're using NOTRACK to avoid connection tracking for some traffic. Could you post the output of "iptables -t raw -vxnL"?