11da177e4SLinus Torvalds# 21da177e4SLinus Torvalds# IP configuration 31da177e4SLinus Torvalds# 41da177e4SLinus Torvaldsconfig IP_MULTICAST 51da177e4SLinus Torvalds bool "IP: multicasting" 61da177e4SLinus Torvalds help 71da177e4SLinus Torvalds This is code for addressing several networked computers at once, 81da177e4SLinus Torvalds enlarging your kernel by about 2 KB. You need multicasting if you 91da177e4SLinus Torvalds intend to participate in the MBONE, a high bandwidth network on top 101da177e4SLinus Torvalds of the Internet which carries audio and video broadcasts. More 111da177e4SLinus Torvalds information about the MBONE is on the WWW at 12936bb14cSAdrian Bunk <http://www.savetz.com/mbone/>. Information about the multicast 131da177e4SLinus Torvalds capabilities of the various network cards is contained in 141da177e4SLinus Torvalds <file:Documentation/networking/multicast.txt>. For most people, it's 151da177e4SLinus Torvalds safe to say N. 161da177e4SLinus Torvalds 171da177e4SLinus Torvaldsconfig IP_ADVANCED_ROUTER 181da177e4SLinus Torvalds bool "IP: advanced router" 191da177e4SLinus Torvalds ---help--- 201da177e4SLinus Torvalds If you intend to run your Linux box mostly as a router, i.e. as a 211da177e4SLinus Torvalds computer that forwards and redistributes network packets, say Y; you 221da177e4SLinus Torvalds will then be presented with several options that allow more precise 231da177e4SLinus Torvalds control about the routing process. 241da177e4SLinus Torvalds 251da177e4SLinus Torvalds The answer to this question won't directly affect the kernel: 261da177e4SLinus Torvalds answering N will just cause the configurator to skip all the 271da177e4SLinus Torvalds questions about advanced routing. 281da177e4SLinus Torvalds 291da177e4SLinus Torvalds Note that your box can only act as a router if you enable IP 301da177e4SLinus Torvalds forwarding in your kernel; you can do that by saying Y to "/proc 311da177e4SLinus Torvalds file system support" and "Sysctl support" below and executing the 321da177e4SLinus Torvalds line 331da177e4SLinus Torvalds 341da177e4SLinus Torvalds echo "1" > /proc/sys/net/ipv4/ip_forward 351da177e4SLinus Torvalds 361da177e4SLinus Torvalds at boot time after the /proc file system has been mounted. 371da177e4SLinus Torvalds 38b2cc46a8SJesper Dangaard Brouer If you turn on IP forwarding, you should consider the rp_filter, which 391da177e4SLinus Torvalds automatically rejects incoming packets if the routing table entry 401da177e4SLinus Torvalds for their source address doesn't match the network interface they're 411da177e4SLinus Torvalds arriving on. This has security advantages because it prevents the 421da177e4SLinus Torvalds so-called IP spoofing, however it can pose problems if you use 431da177e4SLinus Torvalds asymmetric routing (packets from you to a host take a different path 441da177e4SLinus Torvalds than packets from that host to you) or if you operate a non-routing 451da177e4SLinus Torvalds host which has several IP addresses on different interfaces. To turn 46d7394372SDave Jones rp_filter on use: 471da177e4SLinus Torvalds 48d7394372SDave Jones echo 1 > /proc/sys/net/ipv4/conf/<device>/rp_filter 49750e9fadSNicolas Dichtel or 50d7394372SDave Jones echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 511da177e4SLinus Torvalds 52b2cc46a8SJesper Dangaard Brouer Note that some distributions enable it in startup scripts. 53d18921a0SJesper Dangaard Brouer For details about rp_filter strict and loose mode read 54d18921a0SJesper Dangaard Brouer <file:Documentation/networking/ip-sysctl.txt>. 55b2cc46a8SJesper Dangaard Brouer 561da177e4SLinus Torvalds If unsure, say N here. 571da177e4SLinus Torvalds 5866a2f7fdSStephen Hemmingerconfig IP_FIB_TRIE_STATS 5966a2f7fdSStephen Hemminger bool "FIB TRIE statistics" 603630b7c0SDavid S. Miller depends on IP_ADVANCED_ROUTER 6166a2f7fdSStephen Hemminger ---help--- 6266a2f7fdSStephen Hemminger Keep track of statistics on structure of FIB TRIE table. 6366a2f7fdSStephen Hemminger Useful for testing and measuring TRIE performance. 6466a2f7fdSStephen Hemminger 651da177e4SLinus Torvaldsconfig IP_MULTIPLE_TABLES 661da177e4SLinus Torvalds bool "IP: policy routing" 671da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 68e1ef4bf2SThomas Graf select FIB_RULES 691da177e4SLinus Torvalds ---help--- 701da177e4SLinus Torvalds Normally, a router decides what to do with a received packet based 711da177e4SLinus Torvalds solely on the packet's final destination address. If you say Y here, 721da177e4SLinus Torvalds the Linux router will also be able to take the packet's source 731da177e4SLinus Torvalds address into account. Furthermore, the TOS (Type-Of-Service) field 741da177e4SLinus Torvalds of the packet can be used for routing decisions as well. 751da177e4SLinus Torvalds 761da177e4SLinus Torvalds If you are interested in this, please see the preliminary 771da177e4SLinus Torvalds documentation at <http://www.compendium.com.ar/policy-routing.txt> 781da177e4SLinus Torvalds and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>. 791da177e4SLinus Torvalds You will need supporting software from 801da177e4SLinus Torvalds <ftp://ftp.tux.org/pub/net/ip-routing/>. 811da177e4SLinus Torvalds 821da177e4SLinus Torvalds If unsure, say N. 831da177e4SLinus Torvalds 841da177e4SLinus Torvaldsconfig IP_ROUTE_MULTIPATH 851da177e4SLinus Torvalds bool "IP: equal cost multipath" 861da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 871da177e4SLinus Torvalds help 881da177e4SLinus Torvalds Normally, the routing tables specify a single action to be taken in 891da177e4SLinus Torvalds a deterministic manner for a given packet. If you say Y here 901da177e4SLinus Torvalds however, it becomes possible to attach several actions to a packet 911da177e4SLinus Torvalds pattern, in effect specifying several alternative paths to travel 921da177e4SLinus Torvalds for those packets. The router considers all these paths to be of 931da177e4SLinus Torvalds equal "cost" and chooses one of them in a non-deterministic fashion 941da177e4SLinus Torvalds if a matching packet arrives. 951da177e4SLinus Torvalds 961da177e4SLinus Torvaldsconfig IP_ROUTE_VERBOSE 971da177e4SLinus Torvalds bool "IP: verbose route monitoring" 981da177e4SLinus Torvalds depends on IP_ADVANCED_ROUTER 991da177e4SLinus Torvalds help 1001da177e4SLinus Torvalds If you say Y here, which is recommended, then the kernel will print 1011da177e4SLinus Torvalds verbose messages regarding the routing, for example warnings about 1021da177e4SLinus Torvalds received packets which look strange and could be evidence of an 1031da177e4SLinus Torvalds attack or a misconfigured system somewhere. The information is 1041da177e4SLinus Torvalds handled by the klogd daemon which is responsible for kernel messages 1051da177e4SLinus Torvalds ("man klogd"). 1061da177e4SLinus Torvalds 107c7066f70SPatrick McHardyconfig IP_ROUTE_CLASSID 108c7066f70SPatrick McHardy bool 109c7066f70SPatrick McHardy 1101da177e4SLinus Torvaldsconfig IP_PNP 1111da177e4SLinus Torvalds bool "IP: kernel level autoconfiguration" 1121da177e4SLinus Torvalds help 1131da177e4SLinus Torvalds This enables automatic configuration of IP addresses of devices and 1141da177e4SLinus Torvalds of the routing table during kernel boot, based on either information 1151da177e4SLinus Torvalds supplied on the kernel command line or by BOOTP or RARP protocols. 1161da177e4SLinus Torvalds You need to say Y only for diskless machines requiring network 1171da177e4SLinus Torvalds access to boot (in which case you want to say Y to "Root file system 1181da177e4SLinus Torvalds on NFS" as well), because all other machines configure the network 1191da177e4SLinus Torvalds in their startup scripts. 1201da177e4SLinus Torvalds 1211da177e4SLinus Torvaldsconfig IP_PNP_DHCP 1221da177e4SLinus Torvalds bool "IP: DHCP support" 1231da177e4SLinus Torvalds depends on IP_PNP 1241da177e4SLinus Torvalds ---help--- 1251da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1261da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1271da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1281da177e4SLinus Torvalds discovered automatically at boot time using the DHCP protocol (a 1291da177e4SLinus Torvalds special protocol designed for doing this job), say Y here. In case 1301da177e4SLinus Torvalds the boot ROM of your network card was designed for booting Linux and 1311da177e4SLinus Torvalds does DHCP itself, providing all necessary information on the kernel 1321da177e4SLinus Torvalds command line, you can say N here. 1331da177e4SLinus Torvalds 1341da177e4SLinus Torvalds If unsure, say Y. Note that if you want to use DHCP, a DHCP server 1351da177e4SLinus Torvalds must be operating on your network. Read 136dc7a0816SJ. Bruce Fields <file:Documentation/filesystems/nfs/nfsroot.txt> for details. 1371da177e4SLinus Torvalds 1381da177e4SLinus Torvaldsconfig IP_PNP_BOOTP 1391da177e4SLinus Torvalds bool "IP: BOOTP support" 1401da177e4SLinus Torvalds depends on IP_PNP 1411da177e4SLinus Torvalds ---help--- 1421da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1431da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1441da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1451da177e4SLinus Torvalds discovered automatically at boot time using the BOOTP protocol (a 1461da177e4SLinus Torvalds special protocol designed for doing this job), say Y here. In case 1471da177e4SLinus Torvalds the boot ROM of your network card was designed for booting Linux and 1481da177e4SLinus Torvalds does BOOTP itself, providing all necessary information on the kernel 1491da177e4SLinus Torvalds command line, you can say N here. If unsure, say Y. Note that if you 1501da177e4SLinus Torvalds want to use BOOTP, a BOOTP server must be operating on your network. 151dc7a0816SJ. Bruce Fields Read <file:Documentation/filesystems/nfs/nfsroot.txt> for details. 1521da177e4SLinus Torvalds 1531da177e4SLinus Torvaldsconfig IP_PNP_RARP 1541da177e4SLinus Torvalds bool "IP: RARP support" 1551da177e4SLinus Torvalds depends on IP_PNP 1561da177e4SLinus Torvalds help 1571da177e4SLinus Torvalds If you want your Linux box to mount its whole root file system (the 1581da177e4SLinus Torvalds one containing the directory /) from some other computer over the 1591da177e4SLinus Torvalds net via NFS and you want the IP address of your computer to be 1601da177e4SLinus Torvalds discovered automatically at boot time using the RARP protocol (an 1611da177e4SLinus Torvalds older protocol which is being obsoleted by BOOTP and DHCP), say Y 1621da177e4SLinus Torvalds here. Note that if you want to use RARP, a RARP server must be 1636ded55daSJ. Bruce Fields operating on your network. Read 164dc7a0816SJ. Bruce Fields <file:Documentation/filesystems/nfs/nfsroot.txt> for details. 1651da177e4SLinus Torvalds 1661da177e4SLinus Torvalds# not yet ready.. 1671da177e4SLinus Torvalds# bool ' IP: ARP support' CONFIG_IP_PNP_ARP 1681da177e4SLinus Torvaldsconfig NET_IPIP 1691da177e4SLinus Torvalds tristate "IP: tunneling" 170d2acc347SHerbert Xu select INET_TUNNEL 1711da177e4SLinus Torvalds ---help--- 1721da177e4SLinus Torvalds Tunneling means encapsulating data of one protocol type within 1731da177e4SLinus Torvalds another protocol and sending it over a channel that understands the 1741da177e4SLinus Torvalds encapsulating protocol. This particular tunneling driver implements 1751da177e4SLinus Torvalds encapsulation of IP within IP, which sounds kind of pointless, but 1761da177e4SLinus Torvalds can be useful if you want to make your (or some other) machine 1771da177e4SLinus Torvalds appear on a different network than it physically is, or to use 1781da177e4SLinus Torvalds mobile-IP facilities (allowing laptops to seamlessly move between 1791da177e4SLinus Torvalds networks without changing their IP addresses). 1801da177e4SLinus Torvalds 1811da177e4SLinus Torvalds Saying Y to this option will produce two modules ( = code which can 1821da177e4SLinus Torvalds be inserted in and removed from the running kernel whenever you 1831da177e4SLinus Torvalds want). Most people won't need this and can say N. 1841da177e4SLinus Torvalds 18500959adeSDmitry Kozlovconfig NET_IPGRE_DEMUX 18600959adeSDmitry Kozlov tristate "IP: GRE demultiplexer" 18700959adeSDmitry Kozlov help 18800959adeSDmitry Kozlov This is helper module to demultiplex GRE packets on GRE version field criteria. 18900959adeSDmitry Kozlov Required by ip_gre and pptp modules. 19000959adeSDmitry Kozlov 1911da177e4SLinus Torvaldsconfig NET_IPGRE 1921da177e4SLinus Torvalds tristate "IP: GRE tunnels over IP" 19321a180cdSDavid S. Miller depends on (IPV6 || IPV6=n) && NET_IPGRE_DEMUX 1941da177e4SLinus Torvalds help 1951da177e4SLinus Torvalds Tunneling means encapsulating data of one protocol type within 1961da177e4SLinus Torvalds another protocol and sending it over a channel that understands the 1971da177e4SLinus Torvalds encapsulating protocol. This particular tunneling driver implements 1981da177e4SLinus Torvalds GRE (Generic Routing Encapsulation) and at this time allows 1991da177e4SLinus Torvalds encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure. 2001da177e4SLinus Torvalds This driver is useful if the other endpoint is a Cisco router: Cisco 2011da177e4SLinus Torvalds likes GRE much better than the other Linux tunneling driver ("IP 2021da177e4SLinus Torvalds tunneling" above). In addition, GRE allows multicast redistribution 2031da177e4SLinus Torvalds through the tunnel. 2041da177e4SLinus Torvalds 2051da177e4SLinus Torvaldsconfig NET_IPGRE_BROADCAST 2061da177e4SLinus Torvalds bool "IP: broadcast GRE over IP" 2071da177e4SLinus Torvalds depends on IP_MULTICAST && NET_IPGRE 2081da177e4SLinus Torvalds help 2091da177e4SLinus Torvalds One application of GRE/IP is to construct a broadcast WAN (Wide Area 2101da177e4SLinus Torvalds Network), which looks like a normal Ethernet LAN (Local Area 2111da177e4SLinus Torvalds Network), but can be distributed all over the Internet. If you want 2121da177e4SLinus Torvalds to do that, say Y here and to "IP multicast routing" below. 2131da177e4SLinus Torvalds 2141da177e4SLinus Torvaldsconfig IP_MROUTE 2151da177e4SLinus Torvalds bool "IP: multicast routing" 2161da177e4SLinus Torvalds depends on IP_MULTICAST 2171da177e4SLinus Torvalds help 2181da177e4SLinus Torvalds This is used if you want your machine to act as a router for IP 2191da177e4SLinus Torvalds packets that have several destination addresses. It is needed on the 2201da177e4SLinus Torvalds MBONE, a high bandwidth network on top of the Internet which carries 2211da177e4SLinus Torvalds audio and video broadcasts. In order to do that, you would most 2221da177e4SLinus Torvalds likely run the program mrouted. Information about the multicast 2231da177e4SLinus Torvalds capabilities of the various network cards is contained in 2241da177e4SLinus Torvalds <file:Documentation/networking/multicast.txt>. If you haven't heard 2251da177e4SLinus Torvalds about it, you don't need it. 2261da177e4SLinus Torvalds 227f0ad0860SPatrick McHardyconfig IP_MROUTE_MULTIPLE_TABLES 228f0ad0860SPatrick McHardy bool "IP: multicast policy routing" 22966496d49SPatrick McHardy depends on IP_MROUTE && IP_ADVANCED_ROUTER 230f0ad0860SPatrick McHardy select FIB_RULES 231f0ad0860SPatrick McHardy help 232f0ad0860SPatrick McHardy Normally, a multicast router runs a userspace daemon and decides 233f0ad0860SPatrick McHardy what to do with a multicast packet based on the source and 234f0ad0860SPatrick McHardy destination addresses. If you say Y here, the multicast router 235f0ad0860SPatrick McHardy will also be able to take interfaces and packet marks into 236f0ad0860SPatrick McHardy account and run multiple instances of userspace daemons 237f0ad0860SPatrick McHardy simultaneously, each one handling a single table. 238f0ad0860SPatrick McHardy 239f0ad0860SPatrick McHardy If unsure, say N. 240f0ad0860SPatrick McHardy 2411da177e4SLinus Torvaldsconfig IP_PIMSM_V1 2421da177e4SLinus Torvalds bool "IP: PIM-SM version 1 support" 2431da177e4SLinus Torvalds depends on IP_MROUTE 2441da177e4SLinus Torvalds help 2451da177e4SLinus Torvalds Kernel side support for Sparse Mode PIM (Protocol Independent 2461da177e4SLinus Torvalds Multicast) version 1. This multicast routing protocol is used widely 2471da177e4SLinus Torvalds because Cisco supports it. You need special software to use it 2481da177e4SLinus Torvalds (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more 2491da177e4SLinus Torvalds information about PIM. 2501da177e4SLinus Torvalds 2511da177e4SLinus Torvalds Say Y if you want to use PIM-SM v1. Note that you can say N here if 2521da177e4SLinus Torvalds you just want to use Dense Mode PIM. 2531da177e4SLinus Torvalds 2541da177e4SLinus Torvaldsconfig IP_PIMSM_V2 2551da177e4SLinus Torvalds bool "IP: PIM-SM version 2 support" 2561da177e4SLinus Torvalds depends on IP_MROUTE 2571da177e4SLinus Torvalds help 2581da177e4SLinus Torvalds Kernel side support for Sparse Mode PIM version 2. In order to use 2591da177e4SLinus Torvalds this, you need an experimental routing daemon supporting it (pimd or 2601da177e4SLinus Torvalds gated-5). This routing protocol is not used widely, so say N unless 2611da177e4SLinus Torvalds you want to play with it. 2621da177e4SLinus Torvalds 2631da177e4SLinus Torvaldsconfig ARPD 264e61a4b63STimo Teräs bool "IP: ARP daemon support" 2651da177e4SLinus Torvalds ---help--- 266e61a4b63STimo Teräs The kernel maintains an internal cache which maps IP addresses to 267e61a4b63STimo Teräs hardware addresses on the local network, so that Ethernet/Token Ring/ 268e61a4b63STimo Teräs etc. frames are sent to the proper address on the physical networking 269e61a4b63STimo Teräs layer. Normally, kernel uses the ARP protocol to resolve these 270e61a4b63STimo Teräs mappings. 2711da177e4SLinus Torvalds 272e61a4b63STimo Teräs Saying Y here adds support to have an user space daemon to do this 273e61a4b63STimo Teräs resolution instead. This is useful for implementing an alternate 274e61a4b63STimo Teräs address resolution protocol (e.g. NHRP on mGRE tunnels) and also for 275e61a4b63STimo Teräs testing purposes. 2761da177e4SLinus Torvalds 277e61a4b63STimo Teräs If unsure, say N. 2781da177e4SLinus Torvalds 2791da177e4SLinus Torvaldsconfig SYN_COOKIES 28057f1553eSFlorian Westphal bool "IP: TCP syncookie support" 2811da177e4SLinus Torvalds ---help--- 2821da177e4SLinus Torvalds Normal TCP/IP networking is open to an attack known as "SYN 2831da177e4SLinus Torvalds flooding". This denial-of-service attack prevents legitimate remote 2841da177e4SLinus Torvalds users from being able to connect to your computer during an ongoing 2851da177e4SLinus Torvalds attack and requires very little work from the attacker, who can 2861da177e4SLinus Torvalds operate from anywhere on the Internet. 2871da177e4SLinus Torvalds 2881da177e4SLinus Torvalds SYN cookies provide protection against this type of attack. If you 2891da177e4SLinus Torvalds say Y here, the TCP/IP stack will use a cryptographic challenge 2901da177e4SLinus Torvalds protocol known as "SYN cookies" to enable legitimate users to 2911da177e4SLinus Torvalds continue to connect, even when your machine is under attack. There 2921da177e4SLinus Torvalds is no need for the legitimate users to change their TCP/IP software; 2931da177e4SLinus Torvalds SYN cookies work transparently to them. For technical information 2941da177e4SLinus Torvalds about SYN cookies, check out <http://cr.yp.to/syncookies.html>. 2951da177e4SLinus Torvalds 2961da177e4SLinus Torvalds If you are SYN flooded, the source address reported by the kernel is 2971da177e4SLinus Torvalds likely to have been forged by the attacker; it is only reported as 2981da177e4SLinus Torvalds an aid in tracing the packets to their actual source and should not 2991da177e4SLinus Torvalds be taken as absolute truth. 3001da177e4SLinus Torvalds 3011da177e4SLinus Torvalds SYN cookies may prevent correct error reporting on clients when the 3021da177e4SLinus Torvalds server is really overloaded. If this happens frequently better turn 3031da177e4SLinus Torvalds them off. 3041da177e4SLinus Torvalds 30557f1553eSFlorian Westphal If you say Y here, you can disable SYN cookies at run time by 30657f1553eSFlorian Westphal saying Y to "/proc file system support" and 3071da177e4SLinus Torvalds "Sysctl support" below and executing the command 3081da177e4SLinus Torvalds 30957f1553eSFlorian Westphal echo 0 > /proc/sys/net/ipv4/tcp_syncookies 3101da177e4SLinus Torvalds 31157f1553eSFlorian Westphal after the /proc file system has been mounted. 3121da177e4SLinus Torvalds 3131da177e4SLinus Torvalds If unsure, say N. 3141da177e4SLinus Torvalds 3151da177e4SLinus Torvaldsconfig INET_AH 3161da177e4SLinus Torvalds tristate "IP: AH transformation" 3171da177e4SLinus Torvalds select XFRM 3181da177e4SLinus Torvalds select CRYPTO 3191da177e4SLinus Torvalds select CRYPTO_HMAC 3201da177e4SLinus Torvalds select CRYPTO_MD5 3211da177e4SLinus Torvalds select CRYPTO_SHA1 3221da177e4SLinus Torvalds ---help--- 3231da177e4SLinus Torvalds Support for IPsec AH. 3241da177e4SLinus Torvalds 3251da177e4SLinus Torvalds If unsure, say Y. 3261da177e4SLinus Torvalds 3271da177e4SLinus Torvaldsconfig INET_ESP 3281da177e4SLinus Torvalds tristate "IP: ESP transformation" 3291da177e4SLinus Torvalds select XFRM 3301da177e4SLinus Torvalds select CRYPTO 331ed58dd41SHerbert Xu select CRYPTO_AUTHENC 3321da177e4SLinus Torvalds select CRYPTO_HMAC 3331da177e4SLinus Torvalds select CRYPTO_MD5 3346b7326c8SHerbert Xu select CRYPTO_CBC 3351da177e4SLinus Torvalds select CRYPTO_SHA1 3361da177e4SLinus Torvalds select CRYPTO_DES 3371da177e4SLinus Torvalds ---help--- 3381da177e4SLinus Torvalds Support for IPsec ESP. 3391da177e4SLinus Torvalds 3401da177e4SLinus Torvalds If unsure, say Y. 3411da177e4SLinus Torvalds 3421da177e4SLinus Torvaldsconfig INET_IPCOMP 3431da177e4SLinus Torvalds tristate "IP: IPComp transformation" 344d2acc347SHerbert Xu select INET_XFRM_TUNNEL 3456fccab67SHerbert Xu select XFRM_IPCOMP 3461da177e4SLinus Torvalds ---help--- 3471da177e4SLinus Torvalds Support for IP Payload Compression Protocol (IPComp) (RFC3173), 3481da177e4SLinus Torvalds typically needed for IPsec. 3491da177e4SLinus Torvalds 3501da177e4SLinus Torvalds If unsure, say Y. 3511da177e4SLinus Torvalds 352d2acc347SHerbert Xuconfig INET_XFRM_TUNNEL 353d2acc347SHerbert Xu tristate 354d2acc347SHerbert Xu select INET_TUNNEL 355d2acc347SHerbert Xu default n 3561da177e4SLinus Torvalds 357d2acc347SHerbert Xuconfig INET_TUNNEL 358d2acc347SHerbert Xu tristate 359d2acc347SHerbert Xu default n 3601da177e4SLinus Torvalds 361b59f45d0SHerbert Xuconfig INET_XFRM_MODE_TRANSPORT 362b59f45d0SHerbert Xu tristate "IP: IPsec transport mode" 363b59f45d0SHerbert Xu default y 364b59f45d0SHerbert Xu select XFRM 365b59f45d0SHerbert Xu ---help--- 366b59f45d0SHerbert Xu Support for IPsec transport mode. 367b59f45d0SHerbert Xu 368b59f45d0SHerbert Xu If unsure, say Y. 369b59f45d0SHerbert Xu 370b59f45d0SHerbert Xuconfig INET_XFRM_MODE_TUNNEL 371b59f45d0SHerbert Xu tristate "IP: IPsec tunnel mode" 372b59f45d0SHerbert Xu default y 373b59f45d0SHerbert Xu select XFRM 374b59f45d0SHerbert Xu ---help--- 375b59f45d0SHerbert Xu Support for IPsec tunnel mode. 376b59f45d0SHerbert Xu 377b59f45d0SHerbert Xu If unsure, say Y. 378b59f45d0SHerbert Xu 3790a69452cSDiego Beltramiconfig INET_XFRM_MODE_BEET 3800a69452cSDiego Beltrami tristate "IP: IPsec BEET mode" 3810a69452cSDiego Beltrami default y 3820a69452cSDiego Beltrami select XFRM 3830a69452cSDiego Beltrami ---help--- 3840a69452cSDiego Beltrami Support for IPsec BEET mode. 3850a69452cSDiego Beltrami 3860a69452cSDiego Beltrami If unsure, say Y. 3870a69452cSDiego Beltrami 38871c87e0cSJan-Bernd Themannconfig INET_LRO 389c5d35571SBen Hutchings tristate "Large Receive Offload (ipv4/tcp)" 390bc8a5397SFrans Pop default y 39171c87e0cSJan-Bernd Themann ---help--- 39271c87e0cSJan-Bernd Themann Support for Large Receive Offload (ipv4/tcp). 39371c87e0cSJan-Bernd Themann 39471c87e0cSJan-Bernd Themann If unsure, say Y. 39571c87e0cSJan-Bernd Themann 39617b085eaSArnaldo Carvalho de Meloconfig INET_DIAG 39717b085eaSArnaldo Carvalho de Melo tristate "INET: socket monitoring interface" 3981da177e4SLinus Torvalds default y 3991da177e4SLinus Torvalds ---help--- 40073c1f4a0SArnaldo Carvalho de Melo Support for INET (TCP, DCCP, etc) socket monitoring interface used by 40173c1f4a0SArnaldo Carvalho de Melo native Linux tools such as ss. ss is included in iproute2, currently 402c996d8b9SMichael Witten downloadable at: 403c996d8b9SMichael Witten 404c996d8b9SMichael Witten http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2 4051da177e4SLinus Torvalds 4061da177e4SLinus Torvalds If unsure, say Y. 4071da177e4SLinus Torvalds 40817b085eaSArnaldo Carvalho de Meloconfig INET_TCP_DIAG 40917b085eaSArnaldo Carvalho de Melo depends on INET_DIAG 41017b085eaSArnaldo Carvalho de Melo def_tristate INET_DIAG 41117b085eaSArnaldo Carvalho de Melo 412507dd796SPavel Emelyanovconfig INET_UDP_DIAG 4136d62a66eSDavid S. Miller tristate "UDP: socket monitoring interface" 414507dd796SPavel Emelyanov depends on INET_DIAG 4156d62a66eSDavid S. Miller default n 4166d62a66eSDavid S. Miller ---help--- 4176d62a66eSDavid S. Miller Support for UDP socket monitoring interface used by the ss tool. 4186d62a66eSDavid S. Miller If unsure, say Y. 419507dd796SPavel Emelyanov 4203d2573f7SStephen Hemmingermenuconfig TCP_CONG_ADVANCED 421a6484045SDavid S. Miller bool "TCP: advanced congestion control" 422a6484045SDavid S. Miller ---help--- 423a6484045SDavid S. Miller Support for selection of various TCP congestion control 424a6484045SDavid S. Miller modules. 425a6484045SDavid S. Miller 426a6484045SDavid S. Miller Nearly all users can safely say no here, and a safe default 427597811ecSStephen Hemminger selection will be made (CUBIC with new Reno as a fallback). 428a6484045SDavid S. Miller 429a6484045SDavid S. Miller If unsure, say N. 430a6484045SDavid S. Miller 4313d2573f7SStephen Hemmingerif TCP_CONG_ADVANCED 43283803034SStephen Hemminger 43383803034SStephen Hemmingerconfig TCP_CONG_BIC 43483803034SStephen Hemminger tristate "Binary Increase Congestion (BIC) control" 435597811ecSStephen Hemminger default m 43683803034SStephen Hemminger ---help--- 43783803034SStephen Hemminger BIC-TCP is a sender-side only change that ensures a linear RTT 43883803034SStephen Hemminger fairness under large windows while offering both scalability and 43983803034SStephen Hemminger bounded TCP-friendliness. The protocol combines two schemes 44083803034SStephen Hemminger called additive increase and binary search increase. When the 44183803034SStephen Hemminger congestion window is large, additive increase with a large 44283803034SStephen Hemminger increment ensures linear RTT fairness as well as good 44383803034SStephen Hemminger scalability. Under small congestion windows, binary search 44483803034SStephen Hemminger increase provides TCP friendliness. 44583803034SStephen Hemminger See http://www.csc.ncsu.edu/faculty/rhee/export/bitcp/ 44683803034SStephen Hemminger 447df3271f3SStephen Hemmingerconfig TCP_CONG_CUBIC 448df3271f3SStephen Hemminger tristate "CUBIC TCP" 449597811ecSStephen Hemminger default y 450df3271f3SStephen Hemminger ---help--- 451df3271f3SStephen Hemminger This is version 2.0 of BIC-TCP which uses a cubic growth function 452df3271f3SStephen Hemminger among other techniques. 453df3271f3SStephen Hemminger See http://www.csc.ncsu.edu/faculty/rhee/export/bitcp/cubic-paper.pdf 454df3271f3SStephen Hemminger 45587270762SStephen Hemmingerconfig TCP_CONG_WESTWOOD 45687270762SStephen Hemminger tristate "TCP Westwood+" 45787270762SStephen Hemminger default m 45887270762SStephen Hemminger ---help--- 45987270762SStephen Hemminger TCP Westwood+ is a sender-side only modification of the TCP Reno 46087270762SStephen Hemminger protocol stack that optimizes the performance of TCP congestion 46187270762SStephen Hemminger control. It is based on end-to-end bandwidth estimation to set 46287270762SStephen Hemminger congestion window and slow start threshold after a congestion 46387270762SStephen Hemminger episode. Using this estimation, TCP Westwood+ adaptively sets a 46487270762SStephen Hemminger slow start threshold and a congestion window which takes into 46587270762SStephen Hemminger account the bandwidth used at the time congestion is experienced. 46687270762SStephen Hemminger TCP Westwood+ significantly increases fairness wrt TCP Reno in 46787270762SStephen Hemminger wired networks and throughput over wireless links. 46887270762SStephen Hemminger 469a7868ea6SBaruch Evenconfig TCP_CONG_HTCP 470a7868ea6SBaruch Even tristate "H-TCP" 471a7868ea6SBaruch Even default m 472a7868ea6SBaruch Even ---help--- 473a7868ea6SBaruch Even H-TCP is a send-side only modifications of the TCP Reno 474a7868ea6SBaruch Even protocol stack that optimizes the performance of TCP 475a7868ea6SBaruch Even congestion control for high speed network links. It uses a 476a7868ea6SBaruch Even modeswitch to change the alpha and beta parameters of TCP Reno 477a7868ea6SBaruch Even based on network conditions and in a way so as to be fair with 478a7868ea6SBaruch Even other Reno and H-TCP flows. 479a7868ea6SBaruch Even 480a628d29bSJohn Heffnerconfig TCP_CONG_HSTCP 481a628d29bSJohn Heffner tristate "High Speed TCP" 4826a2e9b73SSam Ravnborg depends on EXPERIMENTAL 483a628d29bSJohn Heffner default n 484a628d29bSJohn Heffner ---help--- 485a628d29bSJohn Heffner Sally Floyd's High Speed TCP (RFC 3649) congestion control. 486a628d29bSJohn Heffner A modification to TCP's congestion control mechanism for use 487a628d29bSJohn Heffner with large congestion windows. A table indicates how much to 488a628d29bSJohn Heffner increase the congestion window by when an ACK is received. 489a628d29bSJohn Heffner For more detail see http://www.icir.org/floyd/hstcp.html 490a628d29bSJohn Heffner 491835b3f0cSDaniele Lacameraconfig TCP_CONG_HYBLA 492835b3f0cSDaniele Lacamera tristate "TCP-Hybla congestion control algorithm" 4936a2e9b73SSam Ravnborg depends on EXPERIMENTAL 494835b3f0cSDaniele Lacamera default n 495835b3f0cSDaniele Lacamera ---help--- 496835b3f0cSDaniele Lacamera TCP-Hybla is a sender-side only change that eliminates penalization of 497835b3f0cSDaniele Lacamera long-RTT, large-bandwidth connections, like when satellite legs are 49844c09201SMatt LaPlante involved, especially when sharing a common bottleneck with normal 499835b3f0cSDaniele Lacamera terrestrial connections. 500835b3f0cSDaniele Lacamera 501b87d8561SStephen Hemmingerconfig TCP_CONG_VEGAS 502b87d8561SStephen Hemminger tristate "TCP Vegas" 5036a2e9b73SSam Ravnborg depends on EXPERIMENTAL 504b87d8561SStephen Hemminger default n 505b87d8561SStephen Hemminger ---help--- 506b87d8561SStephen Hemminger TCP Vegas is a sender-side only change to TCP that anticipates 507b87d8561SStephen Hemminger the onset of congestion by estimating the bandwidth. TCP Vegas 508b87d8561SStephen Hemminger adjusts the sending rate by modifying the congestion 509b87d8561SStephen Hemminger window. TCP Vegas should provide less packet loss, but it is 510b87d8561SStephen Hemminger not as aggressive as TCP Reno. 511b87d8561SStephen Hemminger 5120e57976bSJohn Heffnerconfig TCP_CONG_SCALABLE 5130e57976bSJohn Heffner tristate "Scalable TCP" 5146a2e9b73SSam Ravnborg depends on EXPERIMENTAL 5150e57976bSJohn Heffner default n 5160e57976bSJohn Heffner ---help--- 5170e57976bSJohn Heffner Scalable TCP is a sender-side only change to TCP which uses a 5180e57976bSJohn Heffner MIMD congestion control algorithm which has some nice scaling 5190e57976bSJohn Heffner properties, though is known to have fairness issues. 520f4b9479dSBaruch Even See http://www.deneholme.net/tom/scalable/ 521a7868ea6SBaruch Even 5227c106d7eSWong Hoi Sing Edisonconfig TCP_CONG_LP 5237c106d7eSWong Hoi Sing Edison tristate "TCP Low Priority" 5247c106d7eSWong Hoi Sing Edison depends on EXPERIMENTAL 5257c106d7eSWong Hoi Sing Edison default n 5267c106d7eSWong Hoi Sing Edison ---help--- 5277c106d7eSWong Hoi Sing Edison TCP Low Priority (TCP-LP), a distributed algorithm whose goal is 528cab00891SMatt LaPlante to utilize only the excess network bandwidth as compared to the 5297c106d7eSWong Hoi Sing Edison ``fair share`` of bandwidth as targeted by TCP. 5307c106d7eSWong Hoi Sing Edison See http://www-ece.rice.edu/networks/TCP-LP/ 5317c106d7eSWong Hoi Sing Edison 53276f10177SBin Zhouconfig TCP_CONG_VENO 53376f10177SBin Zhou tristate "TCP Veno" 53476f10177SBin Zhou depends on EXPERIMENTAL 53576f10177SBin Zhou default n 53676f10177SBin Zhou ---help--- 53776f10177SBin Zhou TCP Veno is a sender-side only enhancement of TCP to obtain better 53876f10177SBin Zhou throughput over wireless networks. TCP Veno makes use of state 53976f10177SBin Zhou distinguishing to circumvent the difficult judgment of the packet loss 54076f10177SBin Zhou type. TCP Veno cuts down less congestion window in response to random 54176f10177SBin Zhou loss packets. 542631dd1a8SJustin P. Mattock See <http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=1177186> 54376f10177SBin Zhou 5445ef81475SAngelo P. Castellaniconfig TCP_CONG_YEAH 5455ef81475SAngelo P. Castellani tristate "YeAH TCP" 5465ef81475SAngelo P. Castellani depends on EXPERIMENTAL 5472ff011efSDavid S. Miller select TCP_CONG_VEGAS 5485ef81475SAngelo P. Castellani default n 5495ef81475SAngelo P. Castellani ---help--- 5505ef81475SAngelo P. Castellani YeAH-TCP is a sender-side high-speed enabled TCP congestion control 5515ef81475SAngelo P. Castellani algorithm, which uses a mixed loss/delay approach to compute the 5525ef81475SAngelo P. Castellani congestion window. It's design goals target high efficiency, 5535ef81475SAngelo P. Castellani internal, RTT and Reno fairness, resilience to link loss while 5545ef81475SAngelo P. Castellani keeping network elements load as low as possible. 5555ef81475SAngelo P. Castellani 5565ef81475SAngelo P. Castellani For further details look here: 5575ef81475SAngelo P. Castellani http://wil.cs.caltech.edu/pfldnet2007/paper/YeAH_TCP.pdf 5585ef81475SAngelo P. Castellani 559c462238dSStephen Hemmingerconfig TCP_CONG_ILLINOIS 560c462238dSStephen Hemminger tristate "TCP Illinois" 561c462238dSStephen Hemminger depends on EXPERIMENTAL 562c462238dSStephen Hemminger default n 563c462238dSStephen Hemminger ---help--- 56401dd2fbfSMatt LaPlante TCP-Illinois is a sender-side modification of TCP Reno for 565c462238dSStephen Hemminger high speed long delay links. It uses round-trip-time to 566c462238dSStephen Hemminger adjust the alpha and beta parameters to achieve a higher average 567c462238dSStephen Hemminger throughput and maintain fairness. 568c462238dSStephen Hemminger 569c462238dSStephen Hemminger For further details see: 570c462238dSStephen Hemminger http://www.ews.uiuc.edu/~shaoliu/tcpillinois/index.html 571c462238dSStephen Hemminger 5723d2573f7SStephen Hemmingerchoice 5733d2573f7SStephen Hemminger prompt "Default TCP congestion control" 574597811ecSStephen Hemminger default DEFAULT_CUBIC 5753d2573f7SStephen Hemminger help 5763d2573f7SStephen Hemminger Select the TCP congestion control that will be used by default 5773d2573f7SStephen Hemminger for all connections. 5783d2573f7SStephen Hemminger 5793d2573f7SStephen Hemminger config DEFAULT_BIC 5803d2573f7SStephen Hemminger bool "Bic" if TCP_CONG_BIC=y 5813d2573f7SStephen Hemminger 5823d2573f7SStephen Hemminger config DEFAULT_CUBIC 5833d2573f7SStephen Hemminger bool "Cubic" if TCP_CONG_CUBIC=y 5843d2573f7SStephen Hemminger 5853d2573f7SStephen Hemminger config DEFAULT_HTCP 5863d2573f7SStephen Hemminger bool "Htcp" if TCP_CONG_HTCP=y 5873d2573f7SStephen Hemminger 588dd2acaa7SJan Engelhardt config DEFAULT_HYBLA 589dd2acaa7SJan Engelhardt bool "Hybla" if TCP_CONG_HYBLA=y 590dd2acaa7SJan Engelhardt 5913d2573f7SStephen Hemminger config DEFAULT_VEGAS 5923d2573f7SStephen Hemminger bool "Vegas" if TCP_CONG_VEGAS=y 5933d2573f7SStephen Hemminger 5946ce1a6dfSJan Engelhardt config DEFAULT_VENO 5956ce1a6dfSJan Engelhardt bool "Veno" if TCP_CONG_VENO=y 5966ce1a6dfSJan Engelhardt 5973d2573f7SStephen Hemminger config DEFAULT_WESTWOOD 5983d2573f7SStephen Hemminger bool "Westwood" if TCP_CONG_WESTWOOD=y 5993d2573f7SStephen Hemminger 6003d2573f7SStephen Hemminger config DEFAULT_RENO 6013d2573f7SStephen Hemminger bool "Reno" 6023d2573f7SStephen Hemminger 6033d2573f7SStephen Hemmingerendchoice 6043d2573f7SStephen Hemminger 6053d2573f7SStephen Hemmingerendif 60683803034SStephen Hemminger 607597811ecSStephen Hemmingerconfig TCP_CONG_CUBIC 6086c360767SDavid S. Miller tristate 609a6484045SDavid S. Miller depends on !TCP_CONG_ADVANCED 610a6484045SDavid S. Miller default y 611a6484045SDavid S. Miller 6123d2573f7SStephen Hemmingerconfig DEFAULT_TCP_CONG 6133d2573f7SStephen Hemminger string 6143d2573f7SStephen Hemminger default "bic" if DEFAULT_BIC 6153d2573f7SStephen Hemminger default "cubic" if DEFAULT_CUBIC 6163d2573f7SStephen Hemminger default "htcp" if DEFAULT_HTCP 617dd2acaa7SJan Engelhardt default "hybla" if DEFAULT_HYBLA 6183d2573f7SStephen Hemminger default "vegas" if DEFAULT_VEGAS 6193d2573f7SStephen Hemminger default "westwood" if DEFAULT_WESTWOOD 6206ce1a6dfSJan Engelhardt default "veno" if DEFAULT_VENO 6213d2573f7SStephen Hemminger default "reno" if DEFAULT_RENO 622597811ecSStephen Hemminger default "cubic" 6233d2573f7SStephen Hemminger 624cfb6eeb4SYOSHIFUJI Hideakiconfig TCP_MD5SIG 625cfb6eeb4SYOSHIFUJI Hideaki bool "TCP: MD5 Signature Option support (RFC2385) (EXPERIMENTAL)" 626cfb6eeb4SYOSHIFUJI Hideaki depends on EXPERIMENTAL 627cfb6eeb4SYOSHIFUJI Hideaki select CRYPTO 628cfb6eeb4SYOSHIFUJI Hideaki select CRYPTO_MD5 629cfb6eeb4SYOSHIFUJI Hideaki ---help--- 6303dde6ad8SDavid Sterba RFC2385 specifies a method of giving MD5 protection to TCP sessions. 631cfb6eeb4SYOSHIFUJI Hideaki Its main (only?) use is to protect BGP sessions between core routers 632cfb6eeb4SYOSHIFUJI Hideaki on the Internet. 633cfb6eeb4SYOSHIFUJI Hideaki 634cfb6eeb4SYOSHIFUJI Hideaki If unsure, say N. 635