blob: 567b03b1c349c3bfd4a7ba3ec5110bd3c0e474bb [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -07001#
2# IP configuration
3#
Robert Olsson19baf832005-06-21 12:43:18 -07004choice
Kumar Galab5354202005-06-22 09:58:03 -05005 prompt "Choose IP: FIB lookup"
Robert Olsson19baf832005-06-21 12:43:18 -07006 depends on INET
7 default IP_FIB_HASH
8
9config IP_FIB_HASH
10 bool "FIB_HASH"
11 ---help---
12 Current FIB is very proven and good enough for most users.
13
14config IP_FIB_TRIE
15 bool "FIB_TRIE"
16 ---help---
17 Use new experimental LC-trie as FIB lookup algoritm.
18 This improves lookup performance
19
20 LC-trie is described in:
21
22 IP-address lookup using LC-tries. Stefan Nilsson and Gunnar Karlsson
23 IEEE Journal on Selected Areas in Communications, 17(6):1083-1092, June 1999
24 An experimental study of compression methods for dynamic tries
25 Stefan Nilsson and Matti Tikkanen. Algorithmica, 33(1):19-33, 2002.
26 http://www.nada.kth.se/~snilsson/public/papers/dyntrie2/
27
28endchoice
29
Linus Torvalds1da177e2005-04-16 15:20:36 -070030config IP_MULTICAST
31 bool "IP: multicasting"
32 depends on INET
33 help
34 This is code for addressing several networked computers at once,
35 enlarging your kernel by about 2 KB. You need multicasting if you
36 intend to participate in the MBONE, a high bandwidth network on top
37 of the Internet which carries audio and video broadcasts. More
38 information about the MBONE is on the WWW at
39 <http://www-itg.lbl.gov/mbone/>. Information about the multicast
40 capabilities of the various network cards is contained in
41 <file:Documentation/networking/multicast.txt>. For most people, it's
42 safe to say N.
43
44config IP_ADVANCED_ROUTER
45 bool "IP: advanced router"
46 depends on INET
47 ---help---
48 If you intend to run your Linux box mostly as a router, i.e. as a
49 computer that forwards and redistributes network packets, say Y; you
50 will then be presented with several options that allow more precise
51 control about the routing process.
52
53 The answer to this question won't directly affect the kernel:
54 answering N will just cause the configurator to skip all the
55 questions about advanced routing.
56
57 Note that your box can only act as a router if you enable IP
58 forwarding in your kernel; you can do that by saying Y to "/proc
59 file system support" and "Sysctl support" below and executing the
60 line
61
62 echo "1" > /proc/sys/net/ipv4/ip_forward
63
64 at boot time after the /proc file system has been mounted.
65
66 If you turn on IP forwarding, you will also get the rp_filter, which
67 automatically rejects incoming packets if the routing table entry
68 for their source address doesn't match the network interface they're
69 arriving on. This has security advantages because it prevents the
70 so-called IP spoofing, however it can pose problems if you use
71 asymmetric routing (packets from you to a host take a different path
72 than packets from that host to you) or if you operate a non-routing
73 host which has several IP addresses on different interfaces. To turn
74 rp_filter off use:
75
76 echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
77 or
78 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
79
80 If unsure, say N here.
81
82config IP_MULTIPLE_TABLES
83 bool "IP: policy routing"
84 depends on IP_ADVANCED_ROUTER
85 ---help---
86 Normally, a router decides what to do with a received packet based
87 solely on the packet's final destination address. If you say Y here,
88 the Linux router will also be able to take the packet's source
89 address into account. Furthermore, the TOS (Type-Of-Service) field
90 of the packet can be used for routing decisions as well.
91
92 If you are interested in this, please see the preliminary
93 documentation at <http://www.compendium.com.ar/policy-routing.txt>
94 and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>.
95 You will need supporting software from
96 <ftp://ftp.tux.org/pub/net/ip-routing/>.
97
98 If unsure, say N.
99
100config IP_ROUTE_FWMARK
101 bool "IP: use netfilter MARK value as routing key"
102 depends on IP_MULTIPLE_TABLES && NETFILTER
103 help
104 If you say Y here, you will be able to specify different routes for
105 packets with different mark values (see iptables(8), MARK target).
106
107config IP_ROUTE_MULTIPATH
108 bool "IP: equal cost multipath"
109 depends on IP_ADVANCED_ROUTER
110 help
111 Normally, the routing tables specify a single action to be taken in
112 a deterministic manner for a given packet. If you say Y here
113 however, it becomes possible to attach several actions to a packet
114 pattern, in effect specifying several alternative paths to travel
115 for those packets. The router considers all these paths to be of
116 equal "cost" and chooses one of them in a non-deterministic fashion
117 if a matching packet arrives.
118
119config IP_ROUTE_MULTIPATH_CACHED
120 bool "IP: equal cost multipath with caching support (EXPERIMENTAL)"
121 depends on: IP_ROUTE_MULTIPATH
122 help
123 Normally, equal cost multipath routing is not supported by the
124 routing cache. If you say Y here, alternative routes are cached
125 and on cache lookup a route is chosen in a configurable fashion.
126
127 If unsure, say N.
128
129config IP_ROUTE_MULTIPATH_RR
130 tristate "MULTIPATH: round robin algorithm"
131 depends on IP_ROUTE_MULTIPATH_CACHED
132 help
133 Mulitpath routes are chosen according to Round Robin
134
135config IP_ROUTE_MULTIPATH_RANDOM
136 tristate "MULTIPATH: random algorithm"
137 depends on IP_ROUTE_MULTIPATH_CACHED
138 help
139 Multipath routes are chosen in a random fashion. Actually,
140 there is no weight for a route. The advantage of this policy
141 is that it is implemented stateless and therefore introduces only
142 a very small delay.
143
144config IP_ROUTE_MULTIPATH_WRANDOM
145 tristate "MULTIPATH: weighted random algorithm"
146 depends on IP_ROUTE_MULTIPATH_CACHED
147 help
148 Multipath routes are chosen in a weighted random fashion.
149 The per route weights are the weights visible via ip route 2. As the
150 corresponding state management introduces some overhead routing delay
151 is increased.
152
153config IP_ROUTE_MULTIPATH_DRR
154 tristate "MULTIPATH: interface round robin algorithm"
155 depends on IP_ROUTE_MULTIPATH_CACHED
156 help
157 Connections are distributed in a round robin fashion over the
158 available interfaces. This policy makes sense if the connections
159 should be primarily distributed on interfaces and not on routes.
160
161config IP_ROUTE_VERBOSE
162 bool "IP: verbose route monitoring"
163 depends on IP_ADVANCED_ROUTER
164 help
165 If you say Y here, which is recommended, then the kernel will print
166 verbose messages regarding the routing, for example warnings about
167 received packets which look strange and could be evidence of an
168 attack or a misconfigured system somewhere. The information is
169 handled by the klogd daemon which is responsible for kernel messages
170 ("man klogd").
171
172config IP_PNP
173 bool "IP: kernel level autoconfiguration"
174 depends on INET
175 help
176 This enables automatic configuration of IP addresses of devices and
177 of the routing table during kernel boot, based on either information
178 supplied on the kernel command line or by BOOTP or RARP protocols.
179 You need to say Y only for diskless machines requiring network
180 access to boot (in which case you want to say Y to "Root file system
181 on NFS" as well), because all other machines configure the network
182 in their startup scripts.
183
184config IP_PNP_DHCP
185 bool "IP: DHCP support"
186 depends on IP_PNP
187 ---help---
188 If you want your Linux box to mount its whole root file system (the
189 one containing the directory /) from some other computer over the
190 net via NFS and you want the IP address of your computer to be
191 discovered automatically at boot time using the DHCP protocol (a
192 special protocol designed for doing this job), say Y here. In case
193 the boot ROM of your network card was designed for booting Linux and
194 does DHCP itself, providing all necessary information on the kernel
195 command line, you can say N here.
196
197 If unsure, say Y. Note that if you want to use DHCP, a DHCP server
198 must be operating on your network. Read
199 <file:Documentation/nfsroot.txt> for details.
200
201config IP_PNP_BOOTP
202 bool "IP: BOOTP support"
203 depends on IP_PNP
204 ---help---
205 If you want your Linux box to mount its whole root file system (the
206 one containing the directory /) from some other computer over the
207 net via NFS and you want the IP address of your computer to be
208 discovered automatically at boot time using the BOOTP protocol (a
209 special protocol designed for doing this job), say Y here. In case
210 the boot ROM of your network card was designed for booting Linux and
211 does BOOTP itself, providing all necessary information on the kernel
212 command line, you can say N here. If unsure, say Y. Note that if you
213 want to use BOOTP, a BOOTP server must be operating on your network.
214 Read <file:Documentation/nfsroot.txt> for details.
215
216config IP_PNP_RARP
217 bool "IP: RARP support"
218 depends on IP_PNP
219 help
220 If you want your Linux box to mount its whole root file system (the
221 one containing the directory /) from some other computer over the
222 net via NFS and you want the IP address of your computer to be
223 discovered automatically at boot time using the RARP protocol (an
224 older protocol which is being obsoleted by BOOTP and DHCP), say Y
225 here. Note that if you want to use RARP, a RARP server must be
226 operating on your network. Read <file:Documentation/nfsroot.txt> for
227 details.
228
229# not yet ready..
230# bool ' IP: ARP support' CONFIG_IP_PNP_ARP
231config NET_IPIP
232 tristate "IP: tunneling"
233 depends on INET
234 select INET_TUNNEL
235 ---help---
236 Tunneling means encapsulating data of one protocol type within
237 another protocol and sending it over a channel that understands the
238 encapsulating protocol. This particular tunneling driver implements
239 encapsulation of IP within IP, which sounds kind of pointless, but
240 can be useful if you want to make your (or some other) machine
241 appear on a different network than it physically is, or to use
242 mobile-IP facilities (allowing laptops to seamlessly move between
243 networks without changing their IP addresses).
244
245 Saying Y to this option will produce two modules ( = code which can
246 be inserted in and removed from the running kernel whenever you
247 want). Most people won't need this and can say N.
248
249config NET_IPGRE
250 tristate "IP: GRE tunnels over IP"
251 depends on INET
252 select XFRM
253 help
254 Tunneling means encapsulating data of one protocol type within
255 another protocol and sending it over a channel that understands the
256 encapsulating protocol. This particular tunneling driver implements
257 GRE (Generic Routing Encapsulation) and at this time allows
258 encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure.
259 This driver is useful if the other endpoint is a Cisco router: Cisco
260 likes GRE much better than the other Linux tunneling driver ("IP
261 tunneling" above). In addition, GRE allows multicast redistribution
262 through the tunnel.
263
264config NET_IPGRE_BROADCAST
265 bool "IP: broadcast GRE over IP"
266 depends on IP_MULTICAST && NET_IPGRE
267 help
268 One application of GRE/IP is to construct a broadcast WAN (Wide Area
269 Network), which looks like a normal Ethernet LAN (Local Area
270 Network), but can be distributed all over the Internet. If you want
271 to do that, say Y here and to "IP multicast routing" below.
272
273config IP_MROUTE
274 bool "IP: multicast routing"
275 depends on IP_MULTICAST
276 help
277 This is used if you want your machine to act as a router for IP
278 packets that have several destination addresses. It is needed on the
279 MBONE, a high bandwidth network on top of the Internet which carries
280 audio and video broadcasts. In order to do that, you would most
281 likely run the program mrouted. Information about the multicast
282 capabilities of the various network cards is contained in
283 <file:Documentation/networking/multicast.txt>. If you haven't heard
284 about it, you don't need it.
285
286config IP_PIMSM_V1
287 bool "IP: PIM-SM version 1 support"
288 depends on IP_MROUTE
289 help
290 Kernel side support for Sparse Mode PIM (Protocol Independent
291 Multicast) version 1. This multicast routing protocol is used widely
292 because Cisco supports it. You need special software to use it
293 (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more
294 information about PIM.
295
296 Say Y if you want to use PIM-SM v1. Note that you can say N here if
297 you just want to use Dense Mode PIM.
298
299config IP_PIMSM_V2
300 bool "IP: PIM-SM version 2 support"
301 depends on IP_MROUTE
302 help
303 Kernel side support for Sparse Mode PIM version 2. In order to use
304 this, you need an experimental routing daemon supporting it (pimd or
305 gated-5). This routing protocol is not used widely, so say N unless
306 you want to play with it.
307
308config ARPD
309 bool "IP: ARP daemon support (EXPERIMENTAL)"
310 depends on INET && EXPERIMENTAL
311 ---help---
312 Normally, the kernel maintains an internal cache which maps IP
313 addresses to hardware addresses on the local network, so that
314 Ethernet/Token Ring/ etc. frames are sent to the proper address on
315 the physical networking layer. For small networks having a few
316 hundred directly connected hosts or less, keeping this address
317 resolution (ARP) cache inside the kernel works well. However,
318 maintaining an internal ARP cache does not work well for very large
319 switched networks, and will use a lot of kernel memory if TCP/IP
320 connections are made to many machines on the network.
321
322 If you say Y here, the kernel's internal ARP cache will never grow
323 to more than 256 entries (the oldest entries are expired in a LIFO
324 manner) and communication will be attempted with the user space ARP
325 daemon arpd. Arpd then answers the address resolution request either
326 from its own cache or by asking the net.
327
328 This code is experimental and also obsolete. If you want to use it,
329 you need to find a version of the daemon arpd on the net somewhere,
330 and you should also say Y to "Kernel/User network link driver",
331 below. If unsure, say N.
332
333config SYN_COOKIES
334 bool "IP: TCP syncookie support (disabled per default)"
335 depends on INET
336 ---help---
337 Normal TCP/IP networking is open to an attack known as "SYN
338 flooding". This denial-of-service attack prevents legitimate remote
339 users from being able to connect to your computer during an ongoing
340 attack and requires very little work from the attacker, who can
341 operate from anywhere on the Internet.
342
343 SYN cookies provide protection against this type of attack. If you
344 say Y here, the TCP/IP stack will use a cryptographic challenge
345 protocol known as "SYN cookies" to enable legitimate users to
346 continue to connect, even when your machine is under attack. There
347 is no need for the legitimate users to change their TCP/IP software;
348 SYN cookies work transparently to them. For technical information
349 about SYN cookies, check out <http://cr.yp.to/syncookies.html>.
350
351 If you are SYN flooded, the source address reported by the kernel is
352 likely to have been forged by the attacker; it is only reported as
353 an aid in tracing the packets to their actual source and should not
354 be taken as absolute truth.
355
356 SYN cookies may prevent correct error reporting on clients when the
357 server is really overloaded. If this happens frequently better turn
358 them off.
359
360 If you say Y here, note that SYN cookies aren't enabled by default;
361 you can enable them by saying Y to "/proc file system support" and
362 "Sysctl support" below and executing the command
363
364 echo 1 >/proc/sys/net/ipv4/tcp_syncookies
365
366 at boot time after the /proc file system has been mounted.
367
368 If unsure, say N.
369
370config INET_AH
371 tristate "IP: AH transformation"
372 depends on INET
373 select XFRM
374 select CRYPTO
375 select CRYPTO_HMAC
376 select CRYPTO_MD5
377 select CRYPTO_SHA1
378 ---help---
379 Support for IPsec AH.
380
381 If unsure, say Y.
382
383config INET_ESP
384 tristate "IP: ESP transformation"
385 depends on INET
386 select XFRM
387 select CRYPTO
388 select CRYPTO_HMAC
389 select CRYPTO_MD5
390 select CRYPTO_SHA1
391 select CRYPTO_DES
392 ---help---
393 Support for IPsec ESP.
394
395 If unsure, say Y.
396
397config INET_IPCOMP
398 tristate "IP: IPComp transformation"
399 depends on INET
400 select XFRM
401 select INET_TUNNEL
402 select CRYPTO
403 select CRYPTO_DEFLATE
404 ---help---
405 Support for IP Payload Compression Protocol (IPComp) (RFC3173),
406 typically needed for IPsec.
407
408 If unsure, say Y.
409
410config INET_TUNNEL
411 tristate "IP: tunnel transformation"
412 depends on INET
413 select XFRM
414 ---help---
415 Support for generic IP tunnel transformation, which is required by
416 the IP tunneling module as well as tunnel mode IPComp.
417
418 If unsure, say Y.
419
420config IP_TCPDIAG
421 tristate "IP: TCP socket monitoring interface"
422 depends on INET
423 default y
424 ---help---
425 Support for TCP socket monitoring interface used by native Linux
426 tools such as ss. ss is included in iproute2, currently downloadable
427 at <http://developer.osdl.org/dev/iproute2>. If you want IPv6 support
428 and have selected IPv6 as a module, you need to build this as a
429 module too.
430
431 If unsure, say Y.
432
433config IP_TCPDIAG_IPV6
434 def_bool (IP_TCPDIAG=y && IPV6=y) || (IP_TCPDIAG=m && IPV6)
435
436source "net/ipv4/ipvs/Kconfig"
437