Linus Torvalds wrote:
>> From: Patrick McHardy <kaber@trash.net>
>> Date: Mon, 21 Jul 2008 14:05:57 +0200
>>
>>> The idea was that NETFILTER_ADVANCED=n enables everything needed
>>> by mainstream distributions and hides the rest. We can certainly
>>> change the default for this option, but that makes NETFILTER_ADVANCED
>>> pretty much useless.
>> A new feature cannot possibly be used by existing distributions.  I
>> think that's the main gripe.
 >
> 
> Well, if the feature really is going to be something that a _normal_ 
> netfilter config needs, then it should indeed be turned on.

As I said, I don't know whether its needed, but judging by James'
response, its going to be needed for a regular FC installation.

Its not needed today of course, so the attached patch changes it
to depend on NETFILTER_ADVANCED and removes the default.

> However, nothing in the docs imply that at all. Can you explain? Why 
> should IP_NF_SECURITY be on, and why should a default netfilter table 
> enable it? And if it should, WHY THE HELL IS IT DOCUMENTED THAT YOU SHOULD 
> SAY 'N'?

I think I'll just change all the help texts for options having
different defaults with NETFILTER_ADVANCED=n to say "If unsure,
choose the default" to remove the contradictions we'd otherwise
always have.