11da177e4SLinus Torvalds# 21da177e4SLinus Torvalds# Network configuration 31da177e4SLinus Torvalds# 41da177e4SLinus Torvalds 5031cf19eSRobert P. J. Daymenuconfig NET 61da177e4SLinus Torvalds bool "Networking support" 7e9cc8bddSGeert Uytterhoeven select NLATTR 84cd5773aSAndy Shevchenko select GENERIC_NET_UTILS 91da177e4SLinus Torvalds ---help--- 101da177e4SLinus Torvalds Unless you really know what you are doing, you should say Y here. 111da177e4SLinus Torvalds The reason is that some programs need kernel networking support even 121da177e4SLinus Torvalds when running on a stand-alone machine that isn't connected to any 13d5950b43SSam Ravnborg other computer. 14d5950b43SSam Ravnborg 15d5950b43SSam Ravnborg If you are upgrading from an older kernel, you 161da177e4SLinus Torvalds should consider updating your networking tools too because changes 171da177e4SLinus Torvalds in the kernel and the tools often go hand in hand. The tools are 181da177e4SLinus Torvalds contained in the package net-tools, the location and version number 191da177e4SLinus Torvalds of which are given in <file:Documentation/Changes>. 201da177e4SLinus Torvalds 211da177e4SLinus Torvalds For a general introduction to Linux networking, it is highly 221da177e4SLinus Torvalds recommended to read the NET-HOWTO, available from 231da177e4SLinus Torvalds <http://www.tldp.org/docs.html#howto>. 241da177e4SLinus Torvalds 256a2e9b73SSam Ravnborgif NET 266a2e9b73SSam Ravnborg 271dacc76dSJohannes Bergconfig WANT_COMPAT_NETLINK_MESSAGES 281dacc76dSJohannes Berg bool 291dacc76dSJohannes Berg help 301dacc76dSJohannes Berg This option can be selected by other options that need compat 311dacc76dSJohannes Berg netlink messages. 321dacc76dSJohannes Berg 331dacc76dSJohannes Bergconfig COMPAT_NETLINK_MESSAGES 341dacc76dSJohannes Berg def_bool y 351dacc76dSJohannes Berg depends on COMPAT 3640b53d8aSDavid S. Miller depends on WEXT_CORE || WANT_COMPAT_NETLINK_MESSAGES 371dacc76dSJohannes Berg help 381dacc76dSJohannes Berg This option makes it possible to send different netlink messages 391dacc76dSJohannes Berg to tasks depending on whether the task is a compat task or not. To 401dacc76dSJohannes Berg achieve this, you need to set skb_shinfo(skb)->frag_list to the 411dacc76dSJohannes Berg compat skb before sending the skb, the netlink code will sort out 421dacc76dSJohannes Berg which message to actually pass to the task. 431dacc76dSJohannes Berg 441dacc76dSJohannes Berg Newly written code should NEVER need this option but do 451dacc76dSJohannes Berg compat-independent messages instead! 461dacc76dSJohannes Berg 471da177e4SLinus Torvaldsmenu "Networking options" 481da177e4SLinus Torvalds 496a2e9b73SSam Ravnborgsource "net/packet/Kconfig" 506a2e9b73SSam Ravnborgsource "net/unix/Kconfig" 516a2e9b73SSam Ravnborgsource "net/xfrm/Kconfig" 522356f4cbSMartin Schwidefskysource "net/iucv/Kconfig" 531da177e4SLinus Torvalds 541da177e4SLinus Torvaldsconfig INET 551da177e4SLinus Torvalds bool "TCP/IP networking" 56798b2cbfSDavid S. Miller select CRYPTO 57798b2cbfSDavid S. Miller select CRYPTO_AES 581da177e4SLinus Torvalds ---help--- 591da177e4SLinus Torvalds These are the protocols used on the Internet and on most local 601da177e4SLinus Torvalds Ethernets. It is highly recommended to say Y here (this will enlarge 61cf80efc2SYOSHIFUJI Hideaki your kernel by about 400 KB), since some programs (e.g. the X window 621da177e4SLinus Torvalds system) use TCP/IP even if your machine is not connected to any 631da177e4SLinus Torvalds other computer. You will get the so-called loopback device which 641da177e4SLinus Torvalds allows you to ping yourself (great fun, that!). 651da177e4SLinus Torvalds 661da177e4SLinus Torvalds For an excellent introduction to Linux networking, please read the 671da177e4SLinus Torvalds Linux Networking HOWTO, available from 681da177e4SLinus Torvalds <http://www.tldp.org/docs.html#howto>. 691da177e4SLinus Torvalds 701da177e4SLinus Torvalds If you say Y here and also to "/proc file system support" and 711da177e4SLinus Torvalds "Sysctl support" below, you can change various aspects of the 721da177e4SLinus Torvalds behavior of the TCP/IP code by writing to the (virtual) files in 731da177e4SLinus Torvalds /proc/sys/net/ipv4/*; the options are explained in the file 741da177e4SLinus Torvalds <file:Documentation/networking/ip-sysctl.txt>. 751da177e4SLinus Torvalds 761da177e4SLinus Torvalds Short answer: say Y. 771da177e4SLinus Torvalds 786a2e9b73SSam Ravnborgif INET 791da177e4SLinus Torvaldssource "net/ipv4/Kconfig" 801da177e4SLinus Torvaldssource "net/ipv6/Kconfig" 8138c94377SPaul Mooresource "net/netlabel/Kconfig" 821da177e4SLinus Torvalds 836a2e9b73SSam Ravnborgendif # if INET 846a2e9b73SSam Ravnborg 85984bc16cSJames Morrisconfig NETWORK_SECMARK 86984bc16cSJames Morris bool "Security Marking" 87984bc16cSJames Morris help 88984bc16cSJames Morris This enables security marking of network packets, similar 89984bc16cSJames Morris to nfmark, but designated for security purposes. 90984bc16cSJames Morris If you are unsure how to answer this question, answer N. 91984bc16cSJames Morris 92c1f19b51SRichard Cochranconfig NETWORK_PHY_TIMESTAMPING 93c1f19b51SRichard Cochran bool "Timestamping in PHY devices" 94c1f19b51SRichard Cochran help 95c1f19b51SRichard Cochran This allows timestamping of network packets by PHYs with 96c1f19b51SRichard Cochran hardware timestamping capabilities. This option adds some 97c1f19b51SRichard Cochran overhead in the transmit and receive paths. 98c1f19b51SRichard Cochran 99c1f19b51SRichard Cochran If you are unsure how to answer this question, answer N. 100c1f19b51SRichard Cochran 1011da177e4SLinus Torvaldsmenuconfig NETFILTER 102ef91fd52SPablo Neira Ayuso bool "Network packet filtering framework (Netfilter)" 1031da177e4SLinus Torvalds ---help--- 1041da177e4SLinus Torvalds Netfilter is a framework for filtering and mangling network packets 1051da177e4SLinus Torvalds that pass through your Linux box. 1061da177e4SLinus Torvalds 1071da177e4SLinus Torvalds The most common use of packet filtering is to run your Linux box as 1081da177e4SLinus Torvalds a firewall protecting a local network from the Internet. The type of 1091da177e4SLinus Torvalds firewall provided by this kernel support is called a "packet 1101da177e4SLinus Torvalds filter", which means that it can reject individual network packets 1111da177e4SLinus Torvalds based on type, source, destination etc. The other kind of firewall, 1121da177e4SLinus Torvalds a "proxy-based" one, is more secure but more intrusive and more 1131da177e4SLinus Torvalds bothersome to set up; it inspects the network traffic much more 1141da177e4SLinus Torvalds closely, modifies it and has knowledge about the higher level 1151da177e4SLinus Torvalds protocols, which a packet filter lacks. Moreover, proxy-based 1161da177e4SLinus Torvalds firewalls often require changes to the programs running on the local 1171da177e4SLinus Torvalds clients. Proxy-based firewalls don't need support by the kernel, but 1181da177e4SLinus Torvalds they are often combined with a packet filter, which only works if 1191da177e4SLinus Torvalds you say Y here. 1201da177e4SLinus Torvalds 1211da177e4SLinus Torvalds You should also say Y here if you intend to use your Linux box as 1221da177e4SLinus Torvalds the gateway to the Internet for a local network of machines without 1231da177e4SLinus Torvalds globally valid IP addresses. This is called "masquerading": if one 1241da177e4SLinus Torvalds of the computers on your local network wants to send something to 1251da177e4SLinus Torvalds the outside, your box can "masquerade" as that computer, i.e. it 1261da177e4SLinus Torvalds forwards the traffic to the intended outside destination, but 1271da177e4SLinus Torvalds modifies the packets to make it look like they came from the 1281da177e4SLinus Torvalds firewall box itself. It works both ways: if the outside host 1291da177e4SLinus Torvalds replies, the Linux box will silently forward the traffic to the 1301da177e4SLinus Torvalds correct local computer. This way, the computers on your local net 1311da177e4SLinus Torvalds are completely invisible to the outside world, even though they can 1321da177e4SLinus Torvalds reach the outside and can receive replies. It is even possible to 1331da177e4SLinus Torvalds run globally visible servers from within a masqueraded local network 1341da177e4SLinus Torvalds using a mechanism called portforwarding. Masquerading is also often 1351da177e4SLinus Torvalds called NAT (Network Address Translation). 1361da177e4SLinus Torvalds 1371da177e4SLinus Torvalds Another use of Netfilter is in transparent proxying: if a machine on 1381da177e4SLinus Torvalds the local network tries to connect to an outside host, your Linux 1391da177e4SLinus Torvalds box can transparently forward the traffic to a local server, 1401da177e4SLinus Torvalds typically a caching proxy server. 1411da177e4SLinus Torvalds 1421da177e4SLinus Torvalds Yet another use of Netfilter is building a bridging firewall. Using 1431da177e4SLinus Torvalds a bridge with Network packet filtering enabled makes iptables "see" 1441da177e4SLinus Torvalds the bridged traffic. For filtering on the lower network and Ethernet 1451da177e4SLinus Torvalds protocols over the bridge, use ebtables (under bridge netfilter 1461da177e4SLinus Torvalds configuration). 1471da177e4SLinus Torvalds 1481da177e4SLinus Torvalds Various modules exist for netfilter which replace the previous 1491da177e4SLinus Torvalds masquerading (ipmasqadm), packet filtering (ipchains), transparent 1501da177e4SLinus Torvalds proxying, and portforwarding mechanisms. Please see 1511da177e4SLinus Torvalds <file:Documentation/Changes> under "iptables" for the location of 1521da177e4SLinus Torvalds these packages. 1531da177e4SLinus Torvalds 1541da177e4SLinus Torvaldsif NETFILTER 1551da177e4SLinus Torvalds 1561da177e4SLinus Torvaldsconfig NETFILTER_DEBUG 1571da177e4SLinus Torvalds bool "Network packet filtering debugging" 1581da177e4SLinus Torvalds depends on NETFILTER 1591da177e4SLinus Torvalds help 1601da177e4SLinus Torvalds You can say Y here if you want to get additional messages useful in 1611da177e4SLinus Torvalds debugging the netfilter code. 1621da177e4SLinus Torvalds 16333b8e776SPatrick McHardyconfig NETFILTER_ADVANCED 16433b8e776SPatrick McHardy bool "Advanced netfilter configuration" 16533b8e776SPatrick McHardy depends on NETFILTER 16633b8e776SPatrick McHardy default y 16733b8e776SPatrick McHardy help 16833b8e776SPatrick McHardy If you say Y here you can select between all the netfilter modules. 169692105b8SMatt LaPlante If you say N the more unusual ones will not be shown and the 17033b8e776SPatrick McHardy basic ones needed by most people will default to 'M'. 17133b8e776SPatrick McHardy 17233b8e776SPatrick McHardy If unsure, say Y. 17333b8e776SPatrick McHardy 1741da177e4SLinus Torvaldsconfig BRIDGE_NETFILTER 1751da177e4SLinus Torvalds bool "Bridged IP/ARP packets filtering" 1761da177e4SLinus Torvalds depends on BRIDGE && NETFILTER && INET 17733b8e776SPatrick McHardy depends on NETFILTER_ADVANCED 1781da177e4SLinus Torvalds default y 1791da177e4SLinus Torvalds ---help--- 1801da177e4SLinus Torvalds Enabling this option will let arptables resp. iptables see bridged 1811da177e4SLinus Torvalds ARP resp. IP traffic. If you want a bridging firewall, you probably 1821da177e4SLinus Torvalds want this option enabled. 1831da177e4SLinus Torvalds Enabling or disabling this option doesn't enable or disable 1841da177e4SLinus Torvalds ebtables. 1851da177e4SLinus Torvalds 1861da177e4SLinus Torvalds If unsure, say N. 1871da177e4SLinus Torvalds 1889eb0eec7SHarald Weltesource "net/netfilter/Kconfig" 1891da177e4SLinus Torvaldssource "net/ipv4/netfilter/Kconfig" 1901da177e4SLinus Torvaldssource "net/ipv6/netfilter/Kconfig" 1911da177e4SLinus Torvaldssource "net/decnet/netfilter/Kconfig" 1921da177e4SLinus Torvaldssource "net/bridge/netfilter/Kconfig" 1931da177e4SLinus Torvalds 1941da177e4SLinus Torvaldsendif 1951da177e4SLinus Torvalds 1967c657876SArnaldo Carvalho de Melosource "net/dccp/Kconfig" 1971da177e4SLinus Torvaldssource "net/sctp/Kconfig" 198fe17f84fSAndy Groversource "net/rds/Kconfig" 1991e63e681SPer Lidensource "net/tipc/Kconfig" 2006a2e9b73SSam Ravnborgsource "net/atm/Kconfig" 201fd558d18SJames Chapmansource "net/l2tp/Kconfig" 202a19800d7SPatrick McHardysource "net/802/Kconfig" 2036a2e9b73SSam Ravnborgsource "net/bridge/Kconfig" 20491da11f8SLennert Buytenheksource "net/dsa/Kconfig" 2056a2e9b73SSam Ravnborgsource "net/8021q/Kconfig" 2061da177e4SLinus Torvaldssource "net/decnet/Kconfig" 2071da177e4SLinus Torvaldssource "net/llc/Kconfig" 2081da177e4SLinus Torvaldssource "net/ipx/Kconfig" 2091da177e4SLinus Torvaldssource "drivers/net/appletalk/Kconfig" 2106a2e9b73SSam Ravnborgsource "net/x25/Kconfig" 2116a2e9b73SSam Ravnborgsource "net/lapb/Kconfig" 2125075138dSremi.denis-courmont@nokiasource "net/phonet/Kconfig" 2139ec76716SSergey Lapinsource "net/ieee802154/Kconfig" 2141010f540Salex.bluesman.smirnov@gmail.comsource "net/mac802154/Kconfig" 2151da177e4SLinus Torvaldssource "net/sched/Kconfig" 2162f90b865SAlexander Duycksource "net/dcb/Kconfig" 2171a4240f4SWang Leisource "net/dns_resolver/Kconfig" 218c6c8fea2SSven Eckelmannsource "net/batman-adv/Kconfig" 219ccb1352eSJesse Grosssource "net/openvswitch/Kconfig" 220d021c344SAndy Kingsource "net/vmw_vsock/Kconfig" 221eaaa3139SAndrey Vaginsource "net/netlink/Kconfig" 2220d89d203SSimon Hormansource "net/mpls/Kconfig" 223f421436aSArvid Brodinsource "net/hsr/Kconfig" 2241da177e4SLinus Torvalds 225df334545SEric Dumazetconfig RPS 226df334545SEric Dumazet boolean 227044c8d4bSYuanhan Liu depends on SMP && SYSFS 228df334545SEric Dumazet default y 229df334545SEric Dumazet 230c445477dSBen Hutchingsconfig RFS_ACCEL 231c445477dSBen Hutchings boolean 2320244ad00SMartin Schwidefsky depends on RPS 233c445477dSBen Hutchings select CPU_RMAP 234c445477dSBen Hutchings default y 235c445477dSBen Hutchings 236bf264145STom Herbertconfig XPS 237bf264145STom Herbert boolean 238044c8d4bSYuanhan Liu depends on SMP 239bf264145STom Herbert default y 240bf264145STom Herbert 2415bc1421eSNeil Hormanconfig NETPRIO_CGROUP 2425bc1421eSNeil Horman tristate "Network priority cgroup" 2435bc1421eSNeil Horman depends on CGROUPS 2445bc1421eSNeil Horman ---help--- 2455bc1421eSNeil Horman Cgroup subsystem for use in assigning processes to network priorities on 2465bc1421eSNeil Horman a per-interface basis 2475bc1421eSNeil Horman 248fe1217c4SDaniel Borkmannconfig CGROUP_NET_CLASSID 249fe1217c4SDaniel Borkmann boolean "Network classid cgroup" 250fe1217c4SDaniel Borkmann depends on CGROUPS 251fe1217c4SDaniel Borkmann ---help--- 252fe1217c4SDaniel Borkmann Cgroup subsystem for use as general purpose socket classid marker that is 253fe1217c4SDaniel Borkmann being used in cls_cgroup and for netfilter matching. 254fe1217c4SDaniel Borkmann 255e0d1095aSCong Wangconfig NET_RX_BUSY_POLL 25689bf1b5aSEliezer Tamir boolean 25789bf1b5aSEliezer Tamir default y 25806021292SEliezer Tamir 259114cf580STom Herbertconfig BQL 260114cf580STom Herbert boolean 261114cf580STom Herbert depends on SYSFS 262114cf580STom Herbert select DQL 263114cf580STom Herbert default y 264114cf580STom Herbert 2650a14842fSEric Dumazetconfig BPF_JIT 2660a14842fSEric Dumazet bool "enable BPF Just In Time compiler" 2670a14842fSEric Dumazet depends on HAVE_BPF_JIT 268b6202f97SEric Dumazet depends on MODULES 2690a14842fSEric Dumazet ---help--- 2700a14842fSEric Dumazet Berkeley Packet Filter filtering capabilities are normally handled 2710a14842fSEric Dumazet by an interpreter. This option allows kernel to generate a native 2720a14842fSEric Dumazet code when filter is loaded in memory. This should speedup 2730a14842fSEric Dumazet packet sniffing (libpcap/tcpdump). Note : Admin should enable 2740a14842fSEric Dumazet this feature changing /proc/sys/net/core/bpf_jit_enable 2750a14842fSEric Dumazet 27699bbc707SWillem de Bruijnconfig NET_FLOW_LIMIT 27799bbc707SWillem de Bruijn boolean 27899bbc707SWillem de Bruijn depends on RPS 27999bbc707SWillem de Bruijn default y 28099bbc707SWillem de Bruijn ---help--- 28199bbc707SWillem de Bruijn The network stack has to drop packets when a receive processing CPU's 28299bbc707SWillem de Bruijn backlog reaches netdev_max_backlog. If a few out of many active flows 28399bbc707SWillem de Bruijn generate the vast majority of load, drop their traffic earlier to 28499bbc707SWillem de Bruijn maintain capacity for the other flows. This feature provides servers 28599bbc707SWillem de Bruijn with many clients some protection against DoS by a single (spoofed) 28699bbc707SWillem de Bruijn flow that greatly exceeds average workload. 28799bbc707SWillem de Bruijn 2881da177e4SLinus Torvaldsmenu "Network testing" 2891da177e4SLinus Torvalds 2901da177e4SLinus Torvaldsconfig NET_PKTGEN 2911da177e4SLinus Torvalds tristate "Packet Generator (USE WITH CAUTION)" 292ffd756b3SThomas Graf depends on INET && PROC_FS 2931da177e4SLinus Torvalds ---help--- 2941da177e4SLinus Torvalds This module will inject preconfigured packets, at a configurable 2951da177e4SLinus Torvalds rate, out of a given interface. It is used for network interface 2961da177e4SLinus Torvalds stress testing and performance analysis. If you don't understand 2971da177e4SLinus Torvalds what was just said, you don't need it: say N. 2981da177e4SLinus Torvalds 2991da177e4SLinus Torvalds Documentation on how to use the packet generator can be found 3001da177e4SLinus Torvalds at <file:Documentation/networking/pktgen.txt>. 3011da177e4SLinus Torvalds 3021da177e4SLinus Torvalds To compile this code as a module, choose M here: the 3031da177e4SLinus Torvalds module will be called pktgen. 3041da177e4SLinus Torvalds 305a42e9d6cSStephen Hemmingerconfig NET_TCPPROBE 306a42e9d6cSStephen Hemminger tristate "TCP connection probing" 307911f8635SKees Cook depends on INET && PROC_FS && KPROBES 308a42e9d6cSStephen Hemminger ---help--- 309a42e9d6cSStephen Hemminger This module allows for capturing the changes to TCP connection 3109dadaa19SDave Jones state in response to incoming packets. It is used for debugging 311a42e9d6cSStephen Hemminger TCP congestion avoidance modules. If you don't understand 312a42e9d6cSStephen Hemminger what was just said, you don't need it: say N. 313a42e9d6cSStephen Hemminger 31482fe7c92SGrant Grundler Documentation on how to use TCP connection probing can be found 315c996d8b9SMichael Witten at: 316c996d8b9SMichael Witten 317c996d8b9SMichael Witten http://www.linuxfoundation.org/collaborate/workgroups/networking/tcpprobe 318a42e9d6cSStephen Hemminger 319a42e9d6cSStephen Hemminger To compile this code as a module, choose M here: the 320a42e9d6cSStephen Hemminger module will be called tcp_probe. 321a42e9d6cSStephen Hemminger 322273ae44bSNeil Hormanconfig NET_DROP_MONITOR 323cad456d5SNeil Horman tristate "Network packet drop alerting service" 324911f8635SKees Cook depends on INET && TRACEPOINTS 325273ae44bSNeil Horman ---help--- 326273ae44bSNeil Horman This feature provides an alerting service to userspace in the 327273ae44bSNeil Horman event that packets are discarded in the network stack. Alerts 328273ae44bSNeil Horman are broadcast via netlink socket to any listening user space 329273ae44bSNeil Horman process. If you don't need network drop alerts, or if you are ok 330273ae44bSNeil Horman just checking the various proc files and other utilities for 331273ae44bSNeil Horman drop statistics, say N here. 332273ae44bSNeil Horman 3331da177e4SLinus Torvaldsendmenu 3341da177e4SLinus Torvalds 3351da177e4SLinus Torvaldsendmenu 3361da177e4SLinus Torvalds 3371da177e4SLinus Torvaldssource "net/ax25/Kconfig" 3380d66548aSOliver Hartkoppsource "net/can/Kconfig" 3391da177e4SLinus Torvaldssource "net/irda/Kconfig" 3401da177e4SLinus Torvaldssource "net/bluetooth/Kconfig" 34117926a79SDavid Howellssource "net/rxrpc/Kconfig" 342d86b5e0eSAdrian Bunk 34314c0b97dSThomas Grafconfig FIB_RULES 34414c0b97dSThomas Graf bool 34514c0b97dSThomas Graf 3465442060cSRobert P. J. Daymenuconfig WIRELESS 3475442060cSRobert P. J. Day bool "Wireless" 348f54bfc0eSMartin Schwidefsky depends on !S390 3495442060cSRobert P. J. Day default y 3505442060cSRobert P. J. Day 3515442060cSRobert P. J. Dayif WIRELESS 3522a5e1c0eSJohannes Berg 3532a5e1c0eSJohannes Bergsource "net/wireless/Kconfig" 354f0706e82SJiri Bencsource "net/mac80211/Kconfig" 3552a5e1c0eSJohannes Berg 3565442060cSRobert P. J. Dayendif # WIRELESS 3572a5e1c0eSJohannes Berg 358b0c83ae1SInaky Perez-Gonzalezsource "net/wimax/Kconfig" 359b0c83ae1SInaky Perez-Gonzalez 360cf4328cdSIvo van Doornsource "net/rfkill/Kconfig" 361bd238fb4SLatchesar Ionkovsource "net/9p/Kconfig" 3623908c690SSjur Braendelandsource "net/caif/Kconfig" 3633d14c5d2SYehuda Sadehsource "net/ceph/Kconfig" 3643e256b8fSLauro Ramos Venanciosource "net/nfc/Kconfig" 3653908c690SSjur Braendeland 366cf4328cdSIvo van Doorn 3676a2e9b73SSam Ravnborgendif # if NET 368e47b65b0SSam Ravnborg 369e47b65b0SSam Ravnborg# Used by archs to tell that they support BPF_JIT 370e47b65b0SSam Ravnborgconfig HAVE_BPF_JIT 371e47b65b0SSam Ravnborg bool 372