1# 2# IP configuration 3# 4config IP_MULTICAST 5 bool "IP: multicasting" 6 help 7 This is code for addressing several networked computers at once, 8 enlarging your kernel by about 2 KB. You need multicasting if you 9 intend to participate in the MBONE, a high bandwidth network on top 10 of the Internet which carries audio and video broadcasts. More 11 information about the MBONE is on the WWW at 12 <http://www.savetz.com/mbone/>. Information about the multicast 13 capabilities of the various network cards is contained in 14 <file:Documentation/networking/multicast.txt>. For most people, it's 15 safe to say N. 16 17config IP_ADVANCED_ROUTER 18 bool "IP: advanced router" 19 ---help--- 20 If you intend to run your Linux box mostly as a router, i.e. as a 21 computer that forwards and redistributes network packets, say Y; you 22 will then be presented with several options that allow more precise 23 control about the routing process. 24 25 The answer to this question won't directly affect the kernel: 26 answering N will just cause the configurator to skip all the 27 questions about advanced routing. 28 29 Note that your box can only act as a router if you enable IP 30 forwarding in your kernel; you can do that by saying Y to "/proc 31 file system support" and "Sysctl support" below and executing the 32 line 33 34 echo "1" > /proc/sys/net/ipv4/ip_forward 35 36 at boot time after the /proc file system has been mounted. 37 38 If you turn on IP forwarding, you will also get the rp_filter, which 39 automatically rejects incoming packets if the routing table entry 40 for their source address doesn't match the network interface they're 41 arriving on. This has security advantages because it prevents the 42 so-called IP spoofing, however it can pose problems if you use 43 asymmetric routing (packets from you to a host take a different path 44 than packets from that host to you) or if you operate a non-routing 45 host which has several IP addresses on different interfaces. To turn 46 rp_filter on use: 47 48 echo 1 > /proc/sys/net/ipv4/conf/<device>/rp_filter 49 or 50 echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter 51 52 If unsure, say N here. 53 54choice 55 prompt "Choose IP: FIB lookup algorithm (choose FIB_HASH if unsure)" 56 depends on IP_ADVANCED_ROUTER 57 default ASK_IP_FIB_HASH 58 59config ASK_IP_FIB_HASH 60 bool "FIB_HASH" 61 ---help--- 62 Current FIB is very proven and good enough for most users. 63 64config IP_FIB_TRIE 65 bool "FIB_TRIE" 66 ---help--- 67 Use new experimental LC-trie as FIB lookup algorithm. 68 This improves lookup performance if you have a large 69 number of routes. 70 71 LC-trie is a longest matching prefix lookup algorithm which 72 performs better than FIB_HASH for large routing tables. 73 But, it consumes more memory and is more complex. 74 75 LC-trie is described in: 76 77 IP-address lookup using LC-tries. Stefan Nilsson and Gunnar Karlsson 78 IEEE Journal on Selected Areas in Communications, 17(6):1083-1092, June 1999 79 An experimental study of compression methods for dynamic tries 80 Stefan Nilsson and Matti Tikkanen. Algorithmica, 33(1):19-33, 2002. 81 http://www.nada.kth.se/~snilsson/public/papers/dyntrie2/ 82 83endchoice 84 85config IP_FIB_HASH 86 def_bool ASK_IP_FIB_HASH || !IP_ADVANCED_ROUTER 87 88config IP_MULTIPLE_TABLES 89 bool "IP: policy routing" 90 depends on IP_ADVANCED_ROUTER 91 select FIB_RULES 92 ---help--- 93 Normally, a router decides what to do with a received packet based 94 solely on the packet's final destination address. If you say Y here, 95 the Linux router will also be able to take the packet's source 96 address into account. Furthermore, the TOS (Type-Of-Service) field 97 of the packet can be used for routing decisions as well. 98 99 If you are interested in this, please see the preliminary 100 documentation at <http://www.compendium.com.ar/policy-routing.txt> 101 and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>. 102 You will need supporting software from 103 <ftp://ftp.tux.org/pub/net/ip-routing/>. 104 105 If unsure, say N. 106 107config IP_ROUTE_MULTIPATH 108 bool "IP: equal cost multipath" 109 depends on IP_ADVANCED_ROUTER 110 help 111 Normally, the routing tables specify a single action to be taken in 112 a deterministic manner for a given packet. If you say Y here 113 however, it becomes possible to attach several actions to a packet 114 pattern, in effect specifying several alternative paths to travel 115 for those packets. The router considers all these paths to be of 116 equal "cost" and chooses one of them in a non-deterministic fashion 117 if a matching packet arrives. 118 119config IP_ROUTE_VERBOSE 120 bool "IP: verbose route monitoring" 121 depends on IP_ADVANCED_ROUTER 122 help 123 If you say Y here, which is recommended, then the kernel will print 124 verbose messages regarding the routing, for example warnings about 125 received packets which look strange and could be evidence of an 126 attack or a misconfigured system somewhere. The information is 127 handled by the klogd daemon which is responsible for kernel messages 128 ("man klogd"). 129 130config IP_PNP 131 bool "IP: kernel level autoconfiguration" 132 help 133 This enables automatic configuration of IP addresses of devices and 134 of the routing table during kernel boot, based on either information 135 supplied on the kernel command line or by BOOTP or RARP protocols. 136 You need to say Y only for diskless machines requiring network 137 access to boot (in which case you want to say Y to "Root file system 138 on NFS" as well), because all other machines configure the network 139 in their startup scripts. 140 141config IP_PNP_DHCP 142 bool "IP: DHCP support" 143 depends on IP_PNP 144 ---help--- 145 If you want your Linux box to mount its whole root file system (the 146 one containing the directory /) from some other computer over the 147 net via NFS and you want the IP address of your computer to be 148 discovered automatically at boot time using the DHCP protocol (a 149 special protocol designed for doing this job), say Y here. In case 150 the boot ROM of your network card was designed for booting Linux and 151 does DHCP itself, providing all necessary information on the kernel 152 command line, you can say N here. 153 154 If unsure, say Y. Note that if you want to use DHCP, a DHCP server 155 must be operating on your network. Read 156 <file:Documentation/nfsroot.txt> for details. 157 158config IP_PNP_BOOTP 159 bool "IP: BOOTP support" 160 depends on IP_PNP 161 ---help--- 162 If you want your Linux box to mount its whole root file system (the 163 one containing the directory /) from some other computer over the 164 net via NFS and you want the IP address of your computer to be 165 discovered automatically at boot time using the BOOTP protocol (a 166 special protocol designed for doing this job), say Y here. In case 167 the boot ROM of your network card was designed for booting Linux and 168 does BOOTP itself, providing all necessary information on the kernel 169 command line, you can say N here. If unsure, say Y. Note that if you 170 want to use BOOTP, a BOOTP server must be operating on your network. 171 Read <file:Documentation/nfsroot.txt> for details. 172 173config IP_PNP_RARP 174 bool "IP: RARP support" 175 depends on IP_PNP 176 help 177 If you want your Linux box to mount its whole root file system (the 178 one containing the directory /) from some other computer over the 179 net via NFS and you want the IP address of your computer to be 180 discovered automatically at boot time using the RARP protocol (an 181 older protocol which is being obsoleted by BOOTP and DHCP), say Y 182 here. Note that if you want to use RARP, a RARP server must be 183 operating on your network. Read <file:Documentation/nfsroot.txt> for 184 details. 185 186# not yet ready.. 187# bool ' IP: ARP support' CONFIG_IP_PNP_ARP 188config NET_IPIP 189 tristate "IP: tunneling" 190 select INET_TUNNEL 191 ---help--- 192 Tunneling means encapsulating data of one protocol type within 193 another protocol and sending it over a channel that understands the 194 encapsulating protocol. This particular tunneling driver implements 195 encapsulation of IP within IP, which sounds kind of pointless, but 196 can be useful if you want to make your (or some other) machine 197 appear on a different network than it physically is, or to use 198 mobile-IP facilities (allowing laptops to seamlessly move between 199 networks without changing their IP addresses). 200 201 Saying Y to this option will produce two modules ( = code which can 202 be inserted in and removed from the running kernel whenever you 203 want). Most people won't need this and can say N. 204 205config NET_IPGRE 206 tristate "IP: GRE tunnels over IP" 207 help 208 Tunneling means encapsulating data of one protocol type within 209 another protocol and sending it over a channel that understands the 210 encapsulating protocol. This particular tunneling driver implements 211 GRE (Generic Routing Encapsulation) and at this time allows 212 encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure. 213 This driver is useful if the other endpoint is a Cisco router: Cisco 214 likes GRE much better than the other Linux tunneling driver ("IP 215 tunneling" above). In addition, GRE allows multicast redistribution 216 through the tunnel. 217 218config NET_IPGRE_BROADCAST 219 bool "IP: broadcast GRE over IP" 220 depends on IP_MULTICAST && NET_IPGRE 221 help 222 One application of GRE/IP is to construct a broadcast WAN (Wide Area 223 Network), which looks like a normal Ethernet LAN (Local Area 224 Network), but can be distributed all over the Internet. If you want 225 to do that, say Y here and to "IP multicast routing" below. 226 227config IP_MROUTE 228 bool "IP: multicast routing" 229 depends on IP_MULTICAST 230 help 231 This is used if you want your machine to act as a router for IP 232 packets that have several destination addresses. It is needed on the 233 MBONE, a high bandwidth network on top of the Internet which carries 234 audio and video broadcasts. In order to do that, you would most 235 likely run the program mrouted. Information about the multicast 236 capabilities of the various network cards is contained in 237 <file:Documentation/networking/multicast.txt>. If you haven't heard 238 about it, you don't need it. 239 240config IP_PIMSM_V1 241 bool "IP: PIM-SM version 1 support" 242 depends on IP_MROUTE 243 help 244 Kernel side support for Sparse Mode PIM (Protocol Independent 245 Multicast) version 1. This multicast routing protocol is used widely 246 because Cisco supports it. You need special software to use it 247 (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more 248 information about PIM. 249 250 Say Y if you want to use PIM-SM v1. Note that you can say N here if 251 you just want to use Dense Mode PIM. 252 253config IP_PIMSM_V2 254 bool "IP: PIM-SM version 2 support" 255 depends on IP_MROUTE 256 help 257 Kernel side support for Sparse Mode PIM version 2. In order to use 258 this, you need an experimental routing daemon supporting it (pimd or 259 gated-5). This routing protocol is not used widely, so say N unless 260 you want to play with it. 261 262config ARPD 263 bool "IP: ARP daemon support (EXPERIMENTAL)" 264 depends on EXPERIMENTAL 265 ---help--- 266 Normally, the kernel maintains an internal cache which maps IP 267 addresses to hardware addresses on the local network, so that 268 Ethernet/Token Ring/ etc. frames are sent to the proper address on 269 the physical networking layer. For small networks having a few 270 hundred directly connected hosts or less, keeping this address 271 resolution (ARP) cache inside the kernel works well. However, 272 maintaining an internal ARP cache does not work well for very large 273 switched networks, and will use a lot of kernel memory if TCP/IP 274 connections are made to many machines on the network. 275 276 If you say Y here, the kernel's internal ARP cache will never grow 277 to more than 256 entries (the oldest entries are expired in a LIFO 278 manner) and communication will be attempted with the user space ARP 279 daemon arpd. Arpd then answers the address resolution request either 280 from its own cache or by asking the net. 281 282 This code is experimental and also obsolete. If you want to use it, 283 you need to find a version of the daemon arpd on the net somewhere, 284 and you should also say Y to "Kernel/User network link driver", 285 below. If unsure, say N. 286 287config SYN_COOKIES 288 bool "IP: TCP syncookie support (disabled per default)" 289 ---help--- 290 Normal TCP/IP networking is open to an attack known as "SYN 291 flooding". This denial-of-service attack prevents legitimate remote 292 users from being able to connect to your computer during an ongoing 293 attack and requires very little work from the attacker, who can 294 operate from anywhere on the Internet. 295 296 SYN cookies provide protection against this type of attack. If you 297 say Y here, the TCP/IP stack will use a cryptographic challenge 298 protocol known as "SYN cookies" to enable legitimate users to 299 continue to connect, even when your machine is under attack. There 300 is no need for the legitimate users to change their TCP/IP software; 301 SYN cookies work transparently to them. For technical information 302 about SYN cookies, check out <http://cr.yp.to/syncookies.html>. 303 304 If you are SYN flooded, the source address reported by the kernel is 305 likely to have been forged by the attacker; it is only reported as 306 an aid in tracing the packets to their actual source and should not 307 be taken as absolute truth. 308 309 SYN cookies may prevent correct error reporting on clients when the 310 server is really overloaded. If this happens frequently better turn 311 them off. 312 313 If you say Y here, note that SYN cookies aren't enabled by default; 314 you can enable them by saying Y to "/proc file system support" and 315 "Sysctl support" below and executing the command 316 317 echo 1 >/proc/sys/net/ipv4/tcp_syncookies 318 319 at boot time after the /proc file system has been mounted. 320 321 If unsure, say N. 322 323config INET_AH 324 tristate "IP: AH transformation" 325 select XFRM 326 select CRYPTO 327 select CRYPTO_HMAC 328 select CRYPTO_MD5 329 select CRYPTO_SHA1 330 ---help--- 331 Support for IPsec AH. 332 333 If unsure, say Y. 334 335config INET_ESP 336 tristate "IP: ESP transformation" 337 select XFRM 338 select CRYPTO 339 select CRYPTO_HMAC 340 select CRYPTO_MD5 341 select CRYPTO_CBC 342 select CRYPTO_SHA1 343 select CRYPTO_DES 344 ---help--- 345 Support for IPsec ESP. 346 347 If unsure, say Y. 348 349config INET_IPCOMP 350 tristate "IP: IPComp transformation" 351 select XFRM 352 select INET_XFRM_TUNNEL 353 select CRYPTO 354 select CRYPTO_DEFLATE 355 ---help--- 356 Support for IP Payload Compression Protocol (IPComp) (RFC3173), 357 typically needed for IPsec. 358 359 If unsure, say Y. 360 361config INET_XFRM_TUNNEL 362 tristate 363 select INET_TUNNEL 364 default n 365 366config INET_TUNNEL 367 tristate 368 default n 369 370config INET_XFRM_MODE_TRANSPORT 371 tristate "IP: IPsec transport mode" 372 default y 373 select XFRM 374 ---help--- 375 Support for IPsec transport mode. 376 377 If unsure, say Y. 378 379config INET_XFRM_MODE_TUNNEL 380 tristate "IP: IPsec tunnel mode" 381 default y 382 select XFRM 383 ---help--- 384 Support for IPsec tunnel mode. 385 386 If unsure, say Y. 387 388config INET_XFRM_MODE_BEET 389 tristate "IP: IPsec BEET mode" 390 default y 391 select XFRM 392 ---help--- 393 Support for IPsec BEET mode. 394 395 If unsure, say Y. 396 397config INET_LRO 398 tristate "Large Receive Offload (ipv4/tcp)" 399 400 ---help--- 401 Support for Large Receive Offload (ipv4/tcp). 402 403 If unsure, say Y. 404 405config INET_DIAG 406 tristate "INET: socket monitoring interface" 407 default y 408 ---help--- 409 Support for INET (TCP, DCCP, etc) socket monitoring interface used by 410 native Linux tools such as ss. ss is included in iproute2, currently 411 downloadable at <http://linux-net.osdl.org/index.php/Iproute2>. 412 413 If unsure, say Y. 414 415config INET_TCP_DIAG 416 depends on INET_DIAG 417 def_tristate INET_DIAG 418 419menuconfig TCP_CONG_ADVANCED 420 bool "TCP: advanced congestion control" 421 ---help--- 422 Support for selection of various TCP congestion control 423 modules. 424 425 Nearly all users can safely say no here, and a safe default 426 selection will be made (CUBIC with new Reno as a fallback). 427 428 If unsure, say N. 429 430if TCP_CONG_ADVANCED 431 432config TCP_CONG_BIC 433 tristate "Binary Increase Congestion (BIC) control" 434 default m 435 ---help--- 436 BIC-TCP is a sender-side only change that ensures a linear RTT 437 fairness under large windows while offering both scalability and 438 bounded TCP-friendliness. The protocol combines two schemes 439 called additive increase and binary search increase. When the 440 congestion window is large, additive increase with a large 441 increment ensures linear RTT fairness as well as good 442 scalability. Under small congestion windows, binary search 443 increase provides TCP friendliness. 444 See http://www.csc.ncsu.edu/faculty/rhee/export/bitcp/ 445 446config TCP_CONG_CUBIC 447 tristate "CUBIC TCP" 448 default y 449 ---help--- 450 This is version 2.0 of BIC-TCP which uses a cubic growth function 451 among other techniques. 452 See http://www.csc.ncsu.edu/faculty/rhee/export/bitcp/cubic-paper.pdf 453 454config TCP_CONG_WESTWOOD 455 tristate "TCP Westwood+" 456 default m 457 ---help--- 458 TCP Westwood+ is a sender-side only modification of the TCP Reno 459 protocol stack that optimizes the performance of TCP congestion 460 control. It is based on end-to-end bandwidth estimation to set 461 congestion window and slow start threshold after a congestion 462 episode. Using this estimation, TCP Westwood+ adaptively sets a 463 slow start threshold and a congestion window which takes into 464 account the bandwidth used at the time congestion is experienced. 465 TCP Westwood+ significantly increases fairness wrt TCP Reno in 466 wired networks and throughput over wireless links. 467 468config TCP_CONG_HTCP 469 tristate "H-TCP" 470 default m 471 ---help--- 472 H-TCP is a send-side only modifications of the TCP Reno 473 protocol stack that optimizes the performance of TCP 474 congestion control for high speed network links. It uses a 475 modeswitch to change the alpha and beta parameters of TCP Reno 476 based on network conditions and in a way so as to be fair with 477 other Reno and H-TCP flows. 478 479config TCP_CONG_HSTCP 480 tristate "High Speed TCP" 481 depends on EXPERIMENTAL 482 default n 483 ---help--- 484 Sally Floyd's High Speed TCP (RFC 3649) congestion control. 485 A modification to TCP's congestion control mechanism for use 486 with large congestion windows. A table indicates how much to 487 increase the congestion window by when an ACK is received. 488 For more detail see http://www.icir.org/floyd/hstcp.html 489 490config TCP_CONG_HYBLA 491 tristate "TCP-Hybla congestion control algorithm" 492 depends on EXPERIMENTAL 493 default n 494 ---help--- 495 TCP-Hybla is a sender-side only change that eliminates penalization of 496 long-RTT, large-bandwidth connections, like when satellite legs are 497 involved, especially when sharing a common bottleneck with normal 498 terrestrial connections. 499 500config TCP_CONG_VEGAS 501 tristate "TCP Vegas" 502 depends on EXPERIMENTAL 503 default n 504 ---help--- 505 TCP Vegas is a sender-side only change to TCP that anticipates 506 the onset of congestion by estimating the bandwidth. TCP Vegas 507 adjusts the sending rate by modifying the congestion 508 window. TCP Vegas should provide less packet loss, but it is 509 not as aggressive as TCP Reno. 510 511config TCP_CONG_SCALABLE 512 tristate "Scalable TCP" 513 depends on EXPERIMENTAL 514 default n 515 ---help--- 516 Scalable TCP is a sender-side only change to TCP which uses a 517 MIMD congestion control algorithm which has some nice scaling 518 properties, though is known to have fairness issues. 519 See http://www.deneholme.net/tom/scalable/ 520 521config TCP_CONG_LP 522 tristate "TCP Low Priority" 523 depends on EXPERIMENTAL 524 default n 525 ---help--- 526 TCP Low Priority (TCP-LP), a distributed algorithm whose goal is 527 to utilize only the excess network bandwidth as compared to the 528 ``fair share`` of bandwidth as targeted by TCP. 529 See http://www-ece.rice.edu/networks/TCP-LP/ 530 531config TCP_CONG_VENO 532 tristate "TCP Veno" 533 depends on EXPERIMENTAL 534 default n 535 ---help--- 536 TCP Veno is a sender-side only enhancement of TCP to obtain better 537 throughput over wireless networks. TCP Veno makes use of state 538 distinguishing to circumvent the difficult judgment of the packet loss 539 type. TCP Veno cuts down less congestion window in response to random 540 loss packets. 541 See http://www.ntu.edu.sg/home5/ZHOU0022/papers/CPFu03a.pdf 542 543config TCP_CONG_YEAH 544 tristate "YeAH TCP" 545 depends on EXPERIMENTAL 546 select TCP_CONG_VEGAS 547 default n 548 ---help--- 549 YeAH-TCP is a sender-side high-speed enabled TCP congestion control 550 algorithm, which uses a mixed loss/delay approach to compute the 551 congestion window. It's design goals target high efficiency, 552 internal, RTT and Reno fairness, resilience to link loss while 553 keeping network elements load as low as possible. 554 555 For further details look here: 556 http://wil.cs.caltech.edu/pfldnet2007/paper/YeAH_TCP.pdf 557 558config TCP_CONG_ILLINOIS 559 tristate "TCP Illinois" 560 depends on EXPERIMENTAL 561 default n 562 ---help--- 563 TCP-Illinois is a sender-side modificatio of TCP Reno for 564 high speed long delay links. It uses round-trip-time to 565 adjust the alpha and beta parameters to achieve a higher average 566 throughput and maintain fairness. 567 568 For further details see: 569 http://www.ews.uiuc.edu/~shaoliu/tcpillinois/index.html 570 571choice 572 prompt "Default TCP congestion control" 573 default DEFAULT_CUBIC 574 help 575 Select the TCP congestion control that will be used by default 576 for all connections. 577 578 config DEFAULT_BIC 579 bool "Bic" if TCP_CONG_BIC=y 580 581 config DEFAULT_CUBIC 582 bool "Cubic" if TCP_CONG_CUBIC=y 583 584 config DEFAULT_HTCP 585 bool "Htcp" if TCP_CONG_HTCP=y 586 587 config DEFAULT_VEGAS 588 bool "Vegas" if TCP_CONG_VEGAS=y 589 590 config DEFAULT_WESTWOOD 591 bool "Westwood" if TCP_CONG_WESTWOOD=y 592 593 config DEFAULT_RENO 594 bool "Reno" 595 596endchoice 597 598endif 599 600config TCP_CONG_CUBIC 601 tristate 602 depends on !TCP_CONG_ADVANCED 603 default y 604 605config DEFAULT_TCP_CONG 606 string 607 default "bic" if DEFAULT_BIC 608 default "cubic" if DEFAULT_CUBIC 609 default "htcp" if DEFAULT_HTCP 610 default "vegas" if DEFAULT_VEGAS 611 default "westwood" if DEFAULT_WESTWOOD 612 default "reno" if DEFAULT_RENO 613 default "cubic" 614 615config TCP_MD5SIG 616 bool "TCP: MD5 Signature Option support (RFC2385) (EXPERIMENTAL)" 617 depends on EXPERIMENTAL 618 select CRYPTO 619 select CRYPTO_MD5 620 ---help--- 621 RFC2385 specifies a method of giving MD5 protection to TCP sessions. 622 Its main (only?) use is to protect BGP sessions between core routers 623 on the Internet. 624 625 If unsure, say N. 626 627source "net/ipv4/ipvs/Kconfig" 628 629