Linus Torvalds wrote:

quoted

From: Patrick McHardy <redacted>
Date: Mon, 21 Jul 2008 14:05:57 +0200

quoted

The idea was that NETFILTER_ADVANCED=n enables everything needed
by mainstream distributions and hides the rest. We can certainly
change the default for this option, but that makes NETFILTER_ADVANCED
pretty much useless.

A new feature cannot possibly be used by existing distributions.  I
think that's the main gripe.

 >

Well, if the feature really is going to be something that a _normal_ 
netfilter config needs, then it should indeed be turned on.

As I said, I don't know whether its needed, but judging by James'
response, its going to be needed for a regular FC installation.

Its not needed today of course, so the attached patch changes it
to depend on NETFILTER_ADVANCED and removes the default.

However, nothing in the docs imply that at all. Can you explain? Why 
should IP_NF_SECURITY be on, and why should a default netfilter table 
enable it? And if it should, WHY THE HELL IS IT DOCUMENTED THAT YOU SHOULD 
SAY 'N'?

I think I'll just change all the help texts for options having
different defaults with NETFILTER_ADVANCED=n to say "If unsure,
choose the default" to remove the contradictions we'd otherwise
always have.