11da177e4SLinus Torvalds# 21da177e4SLinus Torvalds# IP configuration 31da177e4SLinus Torvalds# 41da177e4SLinus Torvaldsconfig IP_MULTICAST 51da177e4SLinus Torvalds bool "IP: multicasting" 61da177e4SLinus Torvalds depends on INET 71da177e4SLinus Torvalds help 81da177e4SLinus Torvalds This is code for addressing several networked computers at once, 91da177e4SLinus Torvalds enlarging your kernel by about 2 KB. You need multicasting if you 101da177e4SLinus Torvalds intend to participate in the MBONE, a high bandwidth network on top 111da177e4SLinus Torvalds of the Internet which carries audio and video broadcasts. More 121da177e4SLinus Torvalds information about the MBONE is on the WWW at 131da177e4SLinus Torvalds <http://www-itg.lbl.gov/mbone/>. Information about the multicast 141da177e4SLinus Torvalds capabilities of the various network cards is contained in 151da177e4SLinus Torvalds <file:Documentation/networking/multicast.txt>. For most people, it's 161da177e4SLinus Torvalds safe to say N. 171da177e4SLinus Torvalds 181da177e4SLinus Torvaldsconfig IP_ADVANCED_ROUTER 191da177e4SLinus Torvalds bool "IP: advanced router" 201da177e4SLinus Torvalds depends on INET 211da177e4SLinus Torvalds ---help--- 221da177e4SLinus Torvalds If you intend to run your Linux box mostly as a router, i.e. as a 231da177e4SLinus Torvalds computer that forwards and redistributes network packets, say Y; you 241da177e4SLinus Torvalds will then be presented with several options that allow more precise 251da177e4SLinus Torvalds control about the routing process. 261da177e4SLinus Torvalds 271da177e4SLinus Torvalds The answer to this question won't directly affect the kernel: 281da177e4SLinus Torvalds answering N will just cause the configurator to skip all the 291da177e4SLinus Torvalds questions about advanced routing. 301da177e4SLinus Torvalds 311da177e4SLinus Torvalds Note that your box can only act as a router if you enable IP 321da177e4SLinus Torvalds forwarding in your kernel; you can do that by saying Y to "/proc 331da177e4SLinus Torvalds file system support" and "Sysctl support" below and executing the 341da177e4SLinus Torvalds line 351da177e4SLinus Torvalds 361da177e4SLinus Torvalds echo "1" > /proc/sys/net/ipv4/ip_forward 371da177e4SLinus Torvalds 381da177e4SLinus Torvalds at boot time after the /proc file system has been mounted. 391da177e4SLinus Torvalds 401da177e4SLinus Torvalds If you turn on IP forwarding, you will also get the rp_filter, which 411da177e4SLinus Torvalds automatically rejects incoming packets if the routing table entry 421da177e4SLinus Torvalds for their source address doesn't match the network interface they're 431da177e4SLinus Torvalds arriving on. This has security advantages because it prevents the 441da177e4SLinus Torvalds so-called IP spoofing, however it can pose problems if you use 451da177e4SLinus Torvalds asymmetric routing (packets from you to a host take a different path 461da177e4SLinus Torvalds than packets from that host to you) or if you operate a non-routing 471da177e4SLinus Torvalds host which has several IP addresses on different interfaces. To turn 481da177e4SLinus Torvalds rp_filter off use: 491da177e4SLinus Torvalds 501da177e4SLinus Torvalds echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter 511da177e4SLinus Torvalds or 521da177e4SLinus Torvalds echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 531da177e4SLinus Torvalds 541da177e4SLinus Torvalds If unsure, say N here. 551da177e4SLinus Torvalds 561da177e4SLinus Torvaldsconfig IP_MULTIPLE_TABLES 571da177e4SLinus Torvalds bool "IP: policy routing" 581da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 591da177e4SLinus Torvalds ---help--- 601da177e4SLinus Torvalds Normally, a router decides what to do with a received packet based 611da177e4SLinus Torvalds solely on the packet's final destination address. If you say Y here, 621da177e4SLinus Torvalds the Linux router will also be able to take the packet's source 631da177e4SLinus Torvalds address into account. Furthermore, the TOS (Type-Of-Service) field 641da177e4SLinus Torvalds of the packet can be used for routing decisions as well. 651da177e4SLinus Torvalds 661da177e4SLinus Torvalds If you are interested in this, please see the preliminary 671da177e4SLinus Torvalds documentation at <http://www.compendium.com.ar/policy-routing.txt> 681da177e4SLinus Torvalds and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>. 691da177e4SLinus Torvalds You will need supporting software from 701da177e4SLinus Torvalds <ftp://ftp.tux.org/pub/net/ip-routing/>. 711da177e4SLinus Torvalds 721da177e4SLinus Torvalds If unsure, say N. 731da177e4SLinus Torvalds 741da177e4SLinus Torvaldsconfig IP_ROUTE_FWMARK 751da177e4SLinus Torvalds bool "IP: use netfilter MARK value as routing key" 761da177e4SLinus Torvalds depends on IP_MULTIPLE_TABLES && NETFILTER 771da177e4SLinus Torvalds help 781da177e4SLinus Torvalds If you say Y here, you will be able to specify different routes for 791da177e4SLinus Torvalds packets with different mark values (see iptables(8), MARK target). 801da177e4SLinus Torvalds 811da177e4SLinus Torvaldsconfig IP_ROUTE_MULTIPATH 821da177e4SLinus Torvalds bool "IP: equal cost multipath" 831da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 841da177e4SLinus Torvalds help 851da177e4SLinus Torvalds Normally, the routing tables specify a single action to be taken in 861da177e4SLinus Torvalds a deterministic manner for a given packet. If you say Y here 871da177e4SLinus Torvalds however, it becomes possible to attach several actions to a packet 881da177e4SLinus Torvalds pattern, in effect specifying several alternative paths to travel 891da177e4SLinus Torvalds for those packets. The router considers all these paths to be of 901da177e4SLinus Torvalds equal "cost" and chooses one of them in a non-deterministic fashion 911da177e4SLinus Torvalds if a matching packet arrives. 921da177e4SLinus Torvalds 931da177e4SLinus Torvaldsconfig IP_ROUTE_MULTIPATH_CACHED 941da177e4SLinus Torvalds bool "IP: equal cost multipath with caching support (EXPERIMENTAL)" 951da177e4SLinus Torvalds depends on: IP_ROUTE_MULTIPATH 961da177e4SLinus Torvalds help 971da177e4SLinus Torvalds Normally, equal cost multipath routing is not supported by the 981da177e4SLinus Torvalds routing cache. If you say Y here, alternative routes are cached 991da177e4SLinus Torvalds and on cache lookup a route is chosen in a configurable fashion. 1001da177e4SLinus Torvalds 1011da177e4SLinus Torvalds If unsure, say N. 1021da177e4SLinus Torvalds 1031da177e4SLinus Torvaldsconfig IP_ROUTE_MULTIPATH_RR 1041da177e4SLinus Torvalds tristate "MULTIPATH: round robin algorithm" 1051da177e4SLinus Torvalds depends on IP_ROUTE_MULTIPATH_CACHED 1061da177e4SLinus Torvalds help 1071da177e4SLinus Torvalds Mulitpath routes are chosen according to Round Robin 1081da177e4SLinus Torvalds 1091da177e4SLinus Torvaldsconfig IP_ROUTE_MULTIPATH_RANDOM 1101da177e4SLinus Torvalds tristate "MULTIPATH: random algorithm" 1111da177e4SLinus Torvalds depends on IP_ROUTE_MULTIPATH_CACHED 1121da177e4SLinus Torvalds help 1131da177e4SLinus Torvalds Multipath routes are chosen in a random fashion. Actually, 1141da177e4SLinus Torvalds there is no weight for a route. The advantage of this policy 1151da177e4SLinus Torvalds is that it is implemented stateless and therefore introduces only 1161da177e4SLinus Torvalds a very small delay. 1171da177e4SLinus Torvalds 1181da177e4SLinus Torvaldsconfig IP_ROUTE_MULTIPATH_WRANDOM 1191da177e4SLinus Torvalds tristate "MULTIPATH: weighted random algorithm" 1201da177e4SLinus Torvalds depends on IP_ROUTE_MULTIPATH_CACHED 1211da177e4SLinus Torvalds help 1221da177e4SLinus Torvalds Multipath routes are chosen in a weighted random fashion. 1231da177e4SLinus Torvalds The per route weights are the weights visible via ip route 2. As the 1241da177e4SLinus Torvalds corresponding state management introduces some overhead routing delay 1251da177e4SLinus Torvalds is increased. 1261da177e4SLinus Torvalds 1271da177e4SLinus Torvaldsconfig IP_ROUTE_MULTIPATH_DRR 1281da177e4SLinus Torvalds tristate "MULTIPATH: interface round robin algorithm" 1291da177e4SLinus Torvalds depends on IP_ROUTE_MULTIPATH_CACHED 1301da177e4SLinus Torvalds help 1311da177e4SLinus Torvalds Connections are distributed in a round robin fashion over the 1321da177e4SLinus Torvalds available interfaces. This policy makes sense if the connections 1331da177e4SLinus Torvalds should be primarily distributed on interfaces and not on routes. 1341da177e4SLinus Torvalds 1351da177e4SLinus Torvaldsconfig IP_ROUTE_VERBOSE 1361da177e4SLinus Torvalds bool "IP: verbose route monitoring" 1371da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 1381da177e4SLinus Torvalds help 1391da177e4SLinus Torvalds If you say Y here, which is recommended, then the kernel will print 1401da177e4SLinus Torvalds verbose messages regarding the routing, for example warnings about 1411da177e4SLinus Torvalds received packets which look strange and could be evidence of an 1421da177e4SLinus Torvalds attack or a misconfigured system somewhere. The information is 1431da177e4SLinus Torvalds handled by the klogd daemon which is responsible for kernel messages 1441da177e4SLinus Torvalds ("man klogd"). 1451da177e4SLinus Torvalds 1461da177e4SLinus Torvaldsconfig IP_PNP 1471da177e4SLinus Torvalds bool "IP: kernel level autoconfiguration" 1481da177e4SLinus Torvalds depends on INET 1491da177e4SLinus Torvalds help 1501da177e4SLinus Torvalds This enables automatic configuration of IP addresses of devices and 1511da177e4SLinus Torvalds of the routing table during kernel boot, based on either information 1521da177e4SLinus Torvalds supplied on the kernel command line or by BOOTP or RARP protocols. 1531da177e4SLinus Torvalds You need to say Y only for diskless machines requiring network 1541da177e4SLinus Torvalds access to boot (in which case you want to say Y to "Root file system 1551da177e4SLinus Torvalds on NFS" as well), because all other machines configure the network 1561da177e4SLinus Torvalds in their startup scripts. 1571da177e4SLinus Torvalds 1581da177e4SLinus Torvaldsconfig IP_PNP_DHCP 1591da177e4SLinus Torvalds bool "IP: DHCP support" 1601da177e4SLinus Torvalds depends on IP_PNP 1611da177e4SLinus Torvalds ---help--- 1621da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1631da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1641da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1651da177e4SLinus Torvalds discovered automatically at boot time using the DHCP protocol (a 1661da177e4SLinus Torvalds special protocol designed for doing this job), say Y here. In case 1671da177e4SLinus Torvalds the boot ROM of your network card was designed for booting Linux and 1681da177e4SLinus Torvalds does DHCP itself, providing all necessary information on the kernel 1691da177e4SLinus Torvalds command line, you can say N here. 1701da177e4SLinus Torvalds 1711da177e4SLinus Torvalds If unsure, say Y. Note that if you want to use DHCP, a DHCP server 1721da177e4SLinus Torvalds must be operating on your network. Read 1731da177e4SLinus Torvalds <file:Documentation/nfsroot.txt> for details. 1741da177e4SLinus Torvalds 1751da177e4SLinus Torvaldsconfig IP_PNP_BOOTP 1761da177e4SLinus Torvalds bool "IP: BOOTP support" 1771da177e4SLinus Torvalds depends on IP_PNP 1781da177e4SLinus Torvalds ---help--- 1791da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1801da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1811da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1821da177e4SLinus Torvalds discovered automatically at boot time using the BOOTP protocol (a 1831da177e4SLinus Torvalds special protocol designed for doing this job), say Y here. In case 1841da177e4SLinus Torvalds the boot ROM of your network card was designed for booting Linux and 1851da177e4SLinus Torvalds does BOOTP itself, providing all necessary information on the kernel 1861da177e4SLinus Torvalds command line, you can say N here. If unsure, say Y. Note that if you 1871da177e4SLinus Torvalds want to use BOOTP, a BOOTP server must be operating on your network. 1881da177e4SLinus Torvalds Read <file:Documentation/nfsroot.txt> for details. 1891da177e4SLinus Torvalds 1901da177e4SLinus Torvaldsconfig IP_PNP_RARP 1911da177e4SLinus Torvalds bool "IP: RARP support" 1921da177e4SLinus Torvalds depends on IP_PNP 1931da177e4SLinus Torvalds help 1941da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1951da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1961da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1971da177e4SLinus Torvalds discovered automatically at boot time using the RARP protocol (an 1981da177e4SLinus Torvalds older protocol which is being obsoleted by BOOTP and DHCP), say Y 1991da177e4SLinus Torvalds here. Note that if you want to use RARP, a RARP server must be 2001da177e4SLinus Torvalds operating on your network. Read <file:Documentation/nfsroot.txt> for 2011da177e4SLinus Torvalds details. 2021da177e4SLinus Torvalds 2031da177e4SLinus Torvalds# not yet ready.. 2041da177e4SLinus Torvalds# bool ' IP: ARP support' CONFIG_IP_PNP_ARP 2051da177e4SLinus Torvaldsconfig NET_IPIP 2061da177e4SLinus Torvalds tristate "IP: tunneling" 2071da177e4SLinus Torvalds depends on INET 2081da177e4SLinus Torvalds select INET_TUNNEL 2091da177e4SLinus Torvalds ---help--- 2101da177e4SLinus Torvalds Tunneling means encapsulating data of one protocol type within 2111da177e4SLinus Torvalds another protocol and sending it over a channel that understands the 2121da177e4SLinus Torvalds encapsulating protocol. This particular tunneling driver implements 2131da177e4SLinus Torvalds encapsulation of IP within IP, which sounds kind of pointless, but 2141da177e4SLinus Torvalds can be useful if you want to make your (or some other) machine 2151da177e4SLinus Torvalds appear on a different network than it physically is, or to use 2161da177e4SLinus Torvalds mobile-IP facilities (allowing laptops to seamlessly move between 2171da177e4SLinus Torvalds networks without changing their IP addresses). 2181da177e4SLinus Torvalds 2191da177e4SLinus Torvalds Saying Y to this option will produce two modules ( = code which can 2201da177e4SLinus Torvalds be inserted in and removed from the running kernel whenever you 2211da177e4SLinus Torvalds want). Most people won't need this and can say N. 2221da177e4SLinus Torvalds 2231da177e4SLinus Torvaldsconfig NET_IPGRE 2241da177e4SLinus Torvalds tristate "IP: GRE tunnels over IP" 2251da177e4SLinus Torvalds depends on INET 2261da177e4SLinus Torvalds select XFRM 2271da177e4SLinus Torvalds help 2281da177e4SLinus Torvalds Tunneling means encapsulating data of one protocol type within 2291da177e4SLinus Torvalds another protocol and sending it over a channel that understands the 2301da177e4SLinus Torvalds encapsulating protocol. This particular tunneling driver implements 2311da177e4SLinus Torvalds GRE (Generic Routing Encapsulation) and at this time allows 2321da177e4SLinus Torvalds encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure. 2331da177e4SLinus Torvalds This driver is useful if the other endpoint is a Cisco router: Cisco 2341da177e4SLinus Torvalds likes GRE much better than the other Linux tunneling driver ("IP 2351da177e4SLinus Torvalds tunneling" above). In addition, GRE allows multicast redistribution 2361da177e4SLinus Torvalds through the tunnel. 2371da177e4SLinus Torvalds 2381da177e4SLinus Torvaldsconfig NET_IPGRE_BROADCAST 2391da177e4SLinus Torvalds bool "IP: broadcast GRE over IP" 2401da177e4SLinus Torvalds depends on IP_MULTICAST && NET_IPGRE 2411da177e4SLinus Torvalds help 2421da177e4SLinus Torvalds One application of GRE/IP is to construct a broadcast WAN (Wide Area 2431da177e4SLinus Torvalds Network), which looks like a normal Ethernet LAN (Local Area 2441da177e4SLinus Torvalds Network), but can be distributed all over the Internet. If you want 2451da177e4SLinus Torvalds to do that, say Y here and to "IP multicast routing" below. 2461da177e4SLinus Torvalds 2471da177e4SLinus Torvaldsconfig IP_MROUTE 2481da177e4SLinus Torvalds bool "IP: multicast routing" 2491da177e4SLinus Torvalds depends on IP_MULTICAST 2501da177e4SLinus Torvalds help 2511da177e4SLinus Torvalds This is used if you want your machine to act as a router for IP 2521da177e4SLinus Torvalds packets that have several destination addresses. It is needed on the 2531da177e4SLinus Torvalds MBONE, a high bandwidth network on top of the Internet which carries 2541da177e4SLinus Torvalds audio and video broadcasts. In order to do that, you would most 2551da177e4SLinus Torvalds likely run the program mrouted. Information about the multicast 2561da177e4SLinus Torvalds capabilities of the various network cards is contained in 2571da177e4SLinus Torvalds <file:Documentation/networking/multicast.txt>. If you haven't heard 2581da177e4SLinus Torvalds about it, you don't need it. 2591da177e4SLinus Torvalds 2601da177e4SLinus Torvaldsconfig IP_PIMSM_V1 2611da177e4SLinus Torvalds bool "IP: PIM-SM version 1 support" 2621da177e4SLinus Torvalds depends on IP_MROUTE 2631da177e4SLinus Torvalds help 2641da177e4SLinus Torvalds Kernel side support for Sparse Mode PIM (Protocol Independent 2651da177e4SLinus Torvalds Multicast) version 1. This multicast routing protocol is used widely 2661da177e4SLinus Torvalds because Cisco supports it. You need special software to use it 2671da177e4SLinus Torvalds (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more 2681da177e4SLinus Torvalds information about PIM. 2691da177e4SLinus Torvalds 2701da177e4SLinus Torvalds Say Y if you want to use PIM-SM v1. Note that you can say N here if 2711da177e4SLinus Torvalds you just want to use Dense Mode PIM. 2721da177e4SLinus Torvalds 2731da177e4SLinus Torvaldsconfig IP_PIMSM_V2 2741da177e4SLinus Torvalds bool "IP: PIM-SM version 2 support" 2751da177e4SLinus Torvalds depends on IP_MROUTE 2761da177e4SLinus Torvalds help 2771da177e4SLinus Torvalds Kernel side support for Sparse Mode PIM version 2. In order to use 2781da177e4SLinus Torvalds this, you need an experimental routing daemon supporting it (pimd or 2791da177e4SLinus Torvalds gated-5). This routing protocol is not used widely, so say N unless 2801da177e4SLinus Torvalds you want to play with it. 2811da177e4SLinus Torvalds 2821da177e4SLinus Torvaldsconfig ARPD 2831da177e4SLinus Torvalds bool "IP: ARP daemon support (EXPERIMENTAL)" 2841da177e4SLinus Torvalds depends on INET && EXPERIMENTAL 2851da177e4SLinus Torvalds ---help--- 2861da177e4SLinus Torvalds Normally, the kernel maintains an internal cache which maps IP 2871da177e4SLinus Torvalds addresses to hardware addresses on the local network, so that 2881da177e4SLinus Torvalds Ethernet/Token Ring/ etc. frames are sent to the proper address on 2891da177e4SLinus Torvalds the physical networking layer. For small networks having a few 2901da177e4SLinus Torvalds hundred directly connected hosts or less, keeping this address 2911da177e4SLinus Torvalds resolution (ARP) cache inside the kernel works well. However, 2921da177e4SLinus Torvalds maintaining an internal ARP cache does not work well for very large 2931da177e4SLinus Torvalds switched networks, and will use a lot of kernel memory if TCP/IP 2941da177e4SLinus Torvalds connections are made to many machines on the network. 2951da177e4SLinus Torvalds 2961da177e4SLinus Torvalds If you say Y here, the kernel's internal ARP cache will never grow 2971da177e4SLinus Torvalds to more than 256 entries (the oldest entries are expired in a LIFO 2981da177e4SLinus Torvalds manner) and communication will be attempted with the user space ARP 2991da177e4SLinus Torvalds daemon arpd. Arpd then answers the address resolution request either 3001da177e4SLinus Torvalds from its own cache or by asking the net. 3011da177e4SLinus Torvalds 3021da177e4SLinus Torvalds This code is experimental and also obsolete. If you want to use it, 3031da177e4SLinus Torvalds you need to find a version of the daemon arpd on the net somewhere, 3041da177e4SLinus Torvalds and you should also say Y to "Kernel/User network link driver", 3051da177e4SLinus Torvalds below. If unsure, say N. 3061da177e4SLinus Torvalds 3071da177e4SLinus Torvaldsconfig SYN_COOKIES 3081da177e4SLinus Torvalds bool "IP: TCP syncookie support (disabled per default)" 3091da177e4SLinus Torvalds depends on INET 3101da177e4SLinus Torvalds ---help--- 3111da177e4SLinus Torvalds Normal TCP/IP networking is open to an attack known as "SYN 3121da177e4SLinus Torvalds flooding". This denial-of-service attack prevents legitimate remote 3131da177e4SLinus Torvalds users from being able to connect to your computer during an ongoing 3141da177e4SLinus Torvalds attack and requires very little work from the attacker, who can 3151da177e4SLinus Torvalds operate from anywhere on the Internet. 3161da177e4SLinus Torvalds 3171da177e4SLinus Torvalds SYN cookies provide protection against this type of attack. If you 3181da177e4SLinus Torvalds say Y here, the TCP/IP stack will use a cryptographic challenge 3191da177e4SLinus Torvalds protocol known as "SYN cookies" to enable legitimate users to 3201da177e4SLinus Torvalds continue to connect, even when your machine is under attack. There 3211da177e4SLinus Torvalds is no need for the legitimate users to change their TCP/IP software; 3221da177e4SLinus Torvalds SYN cookies work transparently to them. For technical information 3231da177e4SLinus Torvalds about SYN cookies, check out <http://cr.yp.to/syncookies.html>. 3241da177e4SLinus Torvalds 3251da177e4SLinus Torvalds If you are SYN flooded, the source address reported by the kernel is 3261da177e4SLinus Torvalds likely to have been forged by the attacker; it is only reported as 3271da177e4SLinus Torvalds an aid in tracing the packets to their actual source and should not 3281da177e4SLinus Torvalds be taken as absolute truth. 3291da177e4SLinus Torvalds 3301da177e4SLinus Torvalds SYN cookies may prevent correct error reporting on clients when the 3311da177e4SLinus Torvalds server is really overloaded. If this happens frequently better turn 3321da177e4SLinus Torvalds them off. 3331da177e4SLinus Torvalds 3341da177e4SLinus Torvalds If you say Y here, note that SYN cookies aren't enabled by default; 3351da177e4SLinus Torvalds you can enable them by saying Y to "/proc file system support" and 3361da177e4SLinus Torvalds "Sysctl support" below and executing the command 3371da177e4SLinus Torvalds 3381da177e4SLinus Torvalds echo 1 >/proc/sys/net/ipv4/tcp_syncookies 3391da177e4SLinus Torvalds 3401da177e4SLinus Torvalds at boot time after the /proc file system has been mounted. 3411da177e4SLinus Torvalds 3421da177e4SLinus Torvalds If unsure, say N. 3431da177e4SLinus Torvalds 3441da177e4SLinus Torvaldsconfig INET_AH 3451da177e4SLinus Torvalds tristate "IP: AH transformation" 3461da177e4SLinus Torvalds depends on INET 3471da177e4SLinus Torvalds select XFRM 3481da177e4SLinus Torvalds select CRYPTO 3491da177e4SLinus Torvalds select CRYPTO_HMAC 3501da177e4SLinus Torvalds select CRYPTO_MD5 3511da177e4SLinus Torvalds select CRYPTO_SHA1 3521da177e4SLinus Torvalds ---help--- 3531da177e4SLinus Torvalds Support for IPsec AH. 3541da177e4SLinus Torvalds 3551da177e4SLinus Torvalds If unsure, say Y. 3561da177e4SLinus Torvalds 3571da177e4SLinus Torvaldsconfig INET_ESP 3581da177e4SLinus Torvalds tristate "IP: ESP transformation" 3591da177e4SLinus Torvalds depends on INET 3601da177e4SLinus Torvalds select XFRM 3611da177e4SLinus Torvalds select CRYPTO 3621da177e4SLinus Torvalds select CRYPTO_HMAC 3631da177e4SLinus Torvalds select CRYPTO_MD5 3641da177e4SLinus Torvalds select CRYPTO_SHA1 3651da177e4SLinus Torvalds select CRYPTO_DES 3661da177e4SLinus Torvalds ---help--- 3671da177e4SLinus Torvalds Support for IPsec ESP. 3681da177e4SLinus Torvalds 3691da177e4SLinus Torvalds If unsure, say Y. 3701da177e4SLinus Torvalds 3711da177e4SLinus Torvaldsconfig INET_IPCOMP 3721da177e4SLinus Torvalds tristate "IP: IPComp transformation" 3731da177e4SLinus Torvalds depends on INET 3741da177e4SLinus Torvalds select XFRM 3751da177e4SLinus Torvalds select INET_TUNNEL 3761da177e4SLinus Torvalds select CRYPTO 3771da177e4SLinus Torvalds select CRYPTO_DEFLATE 3781da177e4SLinus Torvalds ---help--- 3791da177e4SLinus Torvalds Support for IP Payload Compression Protocol (IPComp) (RFC3173), 3801da177e4SLinus Torvalds typically needed for IPsec. 3811da177e4SLinus Torvalds 3821da177e4SLinus Torvalds If unsure, say Y. 3831da177e4SLinus Torvalds 3841da177e4SLinus Torvaldsconfig INET_TUNNEL 3851da177e4SLinus Torvalds tristate "IP: tunnel transformation" 3861da177e4SLinus Torvalds depends on INET 3871da177e4SLinus Torvalds select XFRM 3881da177e4SLinus Torvalds ---help--- 3891da177e4SLinus Torvalds Support for generic IP tunnel transformation, which is required by 3901da177e4SLinus Torvalds the IP tunneling module as well as tunnel mode IPComp. 3911da177e4SLinus Torvalds 3921da177e4SLinus Torvalds If unsure, say Y. 3931da177e4SLinus Torvalds 3941da177e4SLinus Torvaldsconfig IP_TCPDIAG 3951da177e4SLinus Torvalds tristate "IP: TCP socket monitoring interface" 3961da177e4SLinus Torvalds depends on INET 3971da177e4SLinus Torvalds default y 3981da177e4SLinus Torvalds ---help--- 3991da177e4SLinus Torvalds Support for TCP socket monitoring interface used by native Linux 4001da177e4SLinus Torvalds tools such as ss. ss is included in iproute2, currently downloadable 4011da177e4SLinus Torvalds at <http://developer.osdl.org/dev/iproute2>. If you want IPv6 support 4021da177e4SLinus Torvalds and have selected IPv6 as a module, you need to build this as a 4031da177e4SLinus Torvalds module too. 4041da177e4SLinus Torvalds 4051da177e4SLinus Torvalds If unsure, say Y. 4061da177e4SLinus Torvalds 4071da177e4SLinus Torvaldsconfig IP_TCPDIAG_IPV6 4081da177e4SLinus Torvalds def_bool (IP_TCPDIAG=y && IPV6=y) || (IP_TCPDIAG=m && IPV6) 4091da177e4SLinus Torvalds 4101da177e4SLinus Torvaldssource "net/ipv4/ipvs/Kconfig" 4111da177e4SLinus Torvalds 412