xref: /linux/net/Kconfig (revision 8a398a0c189ead8bbce98f5be70b8ea0e30b21f8) 
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# Network configuration
4#
5
6menuconfig NET
7	bool "Networking support"
8	select NLATTR
9	select GENERIC_NET_UTILS
10	select BPF
11	help
12	  Unless you really know what you are doing, you should say Y here.
13	  The reason is that some programs need kernel networking support even
14	  when running on a stand-alone machine that isn't connected to any
15	  other computer.
16
17	  If you are upgrading from an older kernel, you
18	  should consider updating your networking tools too because changes
19	  in the kernel and the tools often go hand in hand. The tools are
20	  contained in the package net-tools, the location and version number
21	  of which are given in <file:Documentation/Changes>.
22
23	  For a general introduction to Linux networking, it is highly
24	  recommended to read the NET-HOWTO, available from
25	  <http://www.tldp.org/docs.html#howto>.
26
27if NET
28
29config WANT_COMPAT_NETLINK_MESSAGES
30	bool
31	help
32	  This option can be selected by other options that need compat
33	  netlink messages.
34
35config COMPAT_NETLINK_MESSAGES
36	def_bool y
37	depends on COMPAT
38	depends on WEXT_CORE || WANT_COMPAT_NETLINK_MESSAGES
39	help
40	  This option makes it possible to send different netlink messages
41	  to tasks depending on whether the task is a compat task or not. To
42	  achieve this, you need to set skb_shinfo(skb)->frag_list to the
43	  compat skb before sending the skb, the netlink code will sort out
44	  which message to actually pass to the task.
45
46	  Newly written code should NEVER need this option but do
47	  compat-independent messages instead!
48
49config NET_INGRESS
50	bool
51
52config NET_EGRESS
53	bool
54
55config NET_XGRESS
56	select NET_INGRESS
57	select NET_EGRESS
58	bool
59
60config NET_REDIRECT
61	bool
62
63config SKB_DECRYPTED
64	bool
65
66config SKB_EXTENSIONS
67	bool
68
69config NET_DEVMEM
70	def_bool y
71	select GENERIC_ALLOCATOR
72	depends on DMA_SHARED_BUFFER
73	depends on PAGE_POOL
74
75config NET_SHAPER
76	bool
77
78config NET_CRC32C
79	bool
80	select CRC32
81
82menu "Networking options"
83
84source "net/packet/Kconfig"
85source "net/psp/Kconfig"
86source "net/unix/Kconfig"
87source "net/tls/Kconfig"
88source "net/xfrm/Kconfig"
89source "net/iucv/Kconfig"
90source "net/smc/Kconfig"
91source "drivers/dibs/Kconfig"
92source "net/xdp/Kconfig"
93
94config NET_HANDSHAKE
95	bool
96	depends on SUNRPC || NVME_TARGET_TCP || NVME_TCP
97	default y
98
99config NET_HANDSHAKE_KUNIT_TEST
100	tristate "KUnit tests for the handshake upcall mechanism" if !KUNIT_ALL_TESTS
101	default KUNIT_ALL_TESTS
102	depends on KUNIT
103	help
104	  This builds the KUnit tests for the handshake upcall mechanism.
105
106	  KUnit tests run during boot and output the results to the debug
107	  log in TAP format (https://testanything.org/). Only useful for
108	  kernel devs running KUnit test harness and are not for inclusion
109	  into a production build.
110
111	  For more information on KUnit and unit tests in general, refer
112	  to the KUnit documentation in Documentation/dev-tools/kunit/.
113
114config INET
115	bool "TCP/IP networking"
116	help
117	  These are the protocols used on the Internet and on most local
118	  Ethernets. It is highly recommended to say Y here (this will enlarge
119	  your kernel by about 400 KB), since some programs (e.g. the X window
120	  system) use TCP/IP even if your machine is not connected to any
121	  other computer. You will get the so-called loopback device which
122	  allows you to ping yourself (great fun, that!).
123
124	  For an excellent introduction to Linux networking, please read the
125	  Linux Networking HOWTO, available from
126	  <http://www.tldp.org/docs.html#howto>.
127
128	  If you say Y here and also to "/proc file system support" and
129	  "Sysctl support" below, you can change various aspects of the
130	  behavior of the TCP/IP code by writing to the (virtual) files in
131	  /proc/sys/net/ipv4/*; the options are explained in the file
132	  <file:Documentation/networking/ip-sysctl.rst>.
133
134	  Short answer: say Y.
135
136if INET
137source "net/ipv4/Kconfig"
138source "net/ipv6/Kconfig"
139source "net/netlabel/Kconfig"
140source "net/mptcp/Kconfig"
141
142endif # if INET
143
144config NETWORK_SECMARK
145	bool "Security Marking"
146	help
147	  This enables security marking of network packets, similar
148	  to nfmark, but designated for security purposes.
149	  If you are unsure how to answer this question, answer N.
150
151config NET_PTP_CLASSIFY
152	def_bool n
153
154config NETWORK_PHY_TIMESTAMPING
155	bool "Timestamping in PHY devices"
156	select NET_PTP_CLASSIFY
157	help
158	  This allows timestamping of network packets by PHYs (or
159	  other MII bus snooping devices) with hardware timestamping
160	  capabilities. This option adds some overhead in the transmit
161	  and receive paths.
162
163	  If you are unsure how to answer this question, answer N.
164
165menuconfig NETFILTER
166	bool "Network packet filtering framework (Netfilter)"
167	help
168	  Netfilter is a framework for filtering and mangling network packets
169	  that pass through your Linux box.
170
171	  The most common use of packet filtering is to run your Linux box as
172	  a firewall protecting a local network from the Internet. The type of
173	  firewall provided by this kernel support is called a "packet
174	  filter", which means that it can reject individual network packets
175	  based on type, source, destination etc. The other kind of firewall,
176	  a "proxy-based" one, is more secure but more intrusive and more
177	  bothersome to set up; it inspects the network traffic much more
178	  closely, modifies it and has knowledge about the higher level
179	  protocols, which a packet filter lacks. Moreover, proxy-based
180	  firewalls often require changes to the programs running on the local
181	  clients. Proxy-based firewalls don't need support by the kernel, but
182	  they are often combined with a packet filter, which only works if
183	  you say Y here.
184
185	  You should also say Y here if you intend to use your Linux box as
186	  the gateway to the Internet for a local network of machines without
187	  globally valid IP addresses. This is called "masquerading": if one
188	  of the computers on your local network wants to send something to
189	  the outside, your box can "masquerade" as that computer, i.e. it
190	  forwards the traffic to the intended outside destination, but
191	  modifies the packets to make it look like they came from the
192	  firewall box itself. It works both ways: if the outside host
193	  replies, the Linux box will silently forward the traffic to the
194	  correct local computer. This way, the computers on your local net
195	  are completely invisible to the outside world, even though they can
196	  reach the outside and can receive replies. It is even possible to
197	  run globally visible servers from within a masqueraded local network
198	  using a mechanism called portforwarding. Masquerading is also often
199	  called NAT (Network Address Translation).
200
201	  Another use of Netfilter is in transparent proxying: if a machine on
202	  the local network tries to connect to an outside host, your Linux
203	  box can transparently forward the traffic to a local server,
204	  typically a caching proxy server.
205
206	  Yet another use of Netfilter is building a bridging firewall. Using
207	  a bridge with Network packet filtering enabled makes iptables "see"
208	  the bridged traffic. For filtering on the lower network and Ethernet
209	  protocols over the bridge, use ebtables (under bridge netfilter
210	  configuration).
211
212	  Various modules exist for netfilter which replace the previous
213	  masquerading (ipmasqadm), packet filtering (ipchains), transparent
214	  proxying, and portforwarding mechanisms. Please see
215	  <file:Documentation/Changes> under "iptables" for the location of
216	  these packages.
217
218if NETFILTER
219
220config NETFILTER_ADVANCED
221	bool "Advanced netfilter configuration"
222	depends on NETFILTER
223	default y
224	help
225	  If you say Y here you can select between all the netfilter modules.
226	  If you say N the more unusual ones will not be shown and the
227	  basic ones needed by most people will default to 'M'.
228
229	  If unsure, say Y.
230
231config BRIDGE_NETFILTER
232	tristate "Bridged IP/ARP packets filtering"
233	depends on BRIDGE
234	depends on NETFILTER && INET
235	depends on NETFILTER_ADVANCED
236	select NETFILTER_FAMILY_BRIDGE
237	select SKB_EXTENSIONS
238	help
239	  Enabling this option will let arptables resp. iptables see bridged
240	  ARP resp. IP traffic. If you want a bridging firewall, you probably
241	  want this option enabled.
242	  Enabling or disabling this option doesn't enable or disable
243	  ebtables.
244
245	  If unsure, say N.
246
247source "net/netfilter/Kconfig"
248source "net/ipv4/netfilter/Kconfig"
249source "net/ipv6/netfilter/Kconfig"
250source "net/bridge/netfilter/Kconfig"
251
252endif # if NETFILTER
253
254source "net/sctp/Kconfig"
255source "net/rds/Kconfig"
256source "net/tipc/Kconfig"
257source "net/atm/Kconfig"
258source "net/l2tp/Kconfig"
259source "net/802/Kconfig"
260source "net/bridge/Kconfig"
261source "net/dsa/Kconfig"
262source "net/8021q/Kconfig"
263source "net/llc/Kconfig"
264source "net/x25/Kconfig"
265source "net/lapb/Kconfig"
266source "net/phonet/Kconfig"
267source "net/6lowpan/Kconfig"
268source "net/ieee802154/Kconfig"
269source "net/mac802154/Kconfig"
270source "net/sched/Kconfig"
271source "net/dcb/Kconfig"
272source "net/dns_resolver/Kconfig"
273source "net/batman-adv/Kconfig"
274source "net/openvswitch/Kconfig"
275source "net/vmw_vsock/Kconfig"
276source "net/netlink/Kconfig"
277source "net/mpls/Kconfig"
278source "net/nsh/Kconfig"
279source "net/hsr/Kconfig"
280source "net/switchdev/Kconfig"
281source "net/l3mdev/Kconfig"
282source "net/qrtr/Kconfig"
283source "net/ncsi/Kconfig"
284
285config PCPU_DEV_REFCNT
286	bool "Use percpu variables to maintain network device refcount"
287	depends on SMP
288	default y
289	help
290	  network device refcount are using per cpu variables if this option is set.
291	  This can be forced to N to detect underflows (with a performance drop).
292
293config MAX_SKB_FRAGS
294	int "Maximum number of fragments per skb_shared_info"
295	range 17 45
296	default 17
297	help
298	  Having more fragments per skb_shared_info can help GRO efficiency.
299	  This helps BIG TCP workloads, but might expose bugs in some
300	  legacy drivers.
301	  This also increases memory overhead of small packets,
302	  and in drivers using build_skb().
303	  If unsure, say 17.
304
305config RPS
306	bool "Receive packet steering"
307	depends on SMP && SYSFS
308	default y
309	help
310	  Software receive side packet steering (RPS) distributes the
311	  load of received packet processing across multiple CPUs.
312
313config RFS_ACCEL
314	bool "Hardware acceleration of RFS"
315	depends on RPS
316	select CPU_RMAP
317	default y
318	help
319	  Allowing drivers for multiqueue hardware with flow filter tables to
320	  accelerate RFS.
321
322config SOCK_RX_QUEUE_MAPPING
323	bool
324
325config XPS
326	bool
327	depends on SMP
328	select SOCK_RX_QUEUE_MAPPING
329	default y
330
331config HWBM
332	bool
333
334config CGROUP_NET_PRIO
335	bool "Network priority cgroup"
336	depends on CGROUPS
337	select SOCK_CGROUP_DATA
338	help
339	  Cgroup subsystem for use in assigning processes to network priorities on
340	  a per-interface basis.
341
342config CGROUP_NET_CLASSID
343	bool "Network classid cgroup"
344	depends on CGROUPS
345	select SOCK_CGROUP_DATA
346	help
347	  Cgroup subsystem for use as general purpose socket classid marker that is
348	  being used in cls_cgroup and for netfilter matching.
349
350config NET_RX_BUSY_POLL
351	bool
352	default y if !PREEMPT_RT || (PREEMPT_RT && !NETCONSOLE)
353
354config BQL
355	bool
356	prompt "Enable Byte Queue Limits"
357	depends on SYSFS
358	select DQL
359	default y
360
361config BPF_STREAM_PARSER
362	bool "enable BPF STREAM_PARSER"
363	depends on INET
364	depends on BPF_SYSCALL
365	depends on CGROUP_BPF
366	select STREAM_PARSER
367	select NET_SOCK_MSG
368	help
369	  Enabling this allows a TCP stream parser to be used with
370	  BPF_MAP_TYPE_SOCKMAP.
371
372config NET_FLOW_LIMIT
373	bool "Net flow limit"
374	depends on RPS
375	default y
376	help
377	  The network stack has to drop packets when a receive processing CPU's
378	  backlog reaches netdev_max_backlog. If a few out of many active flows
379	  generate the vast majority of load, drop their traffic earlier to
380	  maintain capacity for the other flows. This feature provides servers
381	  with many clients some protection against DoS by a single (spoofed)
382	  flow that greatly exceeds average workload.
383
384menu "Network testing"
385
386config NET_PKTGEN
387	tristate "Packet Generator (USE WITH CAUTION)"
388	depends on INET && PROC_FS
389	help
390	  This module will inject preconfigured packets, at a configurable
391	  rate, out of a given interface.  It is used for network interface
392	  stress testing and performance analysis.  If you don't understand
393	  what was just said, you don't need it: say N.
394
395	  Documentation on how to use the packet generator can be found
396	  at <file:Documentation/networking/pktgen.rst>.
397
398	  To compile this code as a module, choose M here: the
399	  module will be called pktgen.
400
401config NET_DROP_MONITOR
402	tristate "Legacy network packet drop alerting service"
403	depends on INET && TRACEPOINTS
404	help
405	  This feature provides an alerting service to userspace in the
406	  event that packets are discarded in the network stack.  Alerts
407	  are broadcast via netlink socket to any listening user space
408	  process. This feature is NOT related to "perf" based drop monitoring.
409	  Say N here unless you need to support older userspace tools like
410	  "dropwatch".
411
412endmenu # Network testing
413
414endmenu # Networking options
415
416source "net/can/Kconfig"
417source "net/bluetooth/Kconfig"
418source "net/rxrpc/Kconfig"
419source "net/kcm/Kconfig"
420source "net/strparser/Kconfig"
421source "net/mctp/Kconfig"
422
423config FIB_RULES
424	bool
425
426menuconfig WIRELESS
427	bool "Wireless"
428	depends on !S390
429	default y
430
431if WIRELESS
432
433source "net/wireless/Kconfig"
434source "net/mac80211/Kconfig"
435
436endif # WIRELESS
437
438source "net/rfkill/Kconfig"
439source "net/9p/Kconfig"
440source "net/ceph/Kconfig"
441source "net/nfc/Kconfig"
442source "net/psample/Kconfig"
443source "net/ife/Kconfig"
444
445config LWTUNNEL
446	bool "Network light weight tunnels"
447	help
448	  This feature provides an infrastructure to support light weight
449	  tunnels like mpls. There is no netdevice associated with a light
450	  weight tunnel endpoint. Tunnel encapsulation parameters are stored
451	  with light weight tunnel state associated with fib routes.
452
453config LWTUNNEL_BPF
454	bool "Execute BPF program as route nexthop action"
455	depends on LWTUNNEL && INET
456	default y if LWTUNNEL=y
457	help
458	  Allows to run BPF programs as a nexthop action following a route
459	  lookup for incoming and outgoing packets.
460
461config DST_CACHE
462	bool
463	default n
464
465config GRO_CELLS
466	bool
467	default n
468
469config SOCK_VALIDATE_XMIT
470	bool
471
472config NET_IEEE8021Q_HELPERS
473	bool
474
475config NET_SELFTESTS
476	def_tristate PHYLIB
477	depends on PHYLIB && INET
478
479config NET_SOCK_MSG
480	bool
481	default n
482	help
483	  The NET_SOCK_MSG provides a framework for plain sockets (e.g. TCP) or
484	  ULPs (upper layer modules, e.g. TLS) to process L7 application data
485	  with the help of BPF programs.
486
487config NET_DEVLINK
488	bool
489	default n
490
491config PAGE_POOL
492	bool
493
494config PAGE_POOL_STATS
495	default n
496	bool "Page pool stats"
497	depends on PAGE_POOL
498	help
499	  Enable page pool statistics to track page allocation and recycling
500	  in page pools. This option incurs additional CPU cost in allocation
501	  and recycle paths and additional memory cost to store the statistics.
502	  These statistics are only available if this option is enabled and if
503	  the driver using the page pool supports exporting this data.
504
505	  If unsure, say N.
506
507config FAILOVER
508	tristate "Generic failover module"
509	help
510	  The failover module provides a generic interface for paravirtual
511	  drivers to register a netdev and a set of ops with a failover
512	  instance. The ops are used as event handlers that get called to
513	  handle netdev register/unregister/link change/name change events
514	  on slave pci ethernet devices with the same mac address as the
515	  failover netdev. This enables paravirtual drivers to use a
516	  VF as an accelerated low latency datapath. It also allows live
517	  migration of VMs with direct attached VFs by failing over to the
518	  paravirtual datapath when the VF is unplugged.
519
520config ETHTOOL_NETLINK
521	bool "Netlink interface for ethtool"
522	select DIMLIB
523	default y
524	help
525	  An alternative userspace interface for ethtool based on generic
526	  netlink. It provides better extensibility and some new features,
527	  e.g. notification messages.
528
529config NETDEV_ADDR_LIST_TEST
530	tristate "Unit tests for device address list"
531	default KUNIT_ALL_TESTS
532	depends on KUNIT
533
534config NET_TEST
535	tristate "KUnit tests for networking" if !KUNIT_ALL_TESTS
536	depends on KUNIT
537	default KUNIT_ALL_TESTS
538	help
539	  KUnit tests covering core networking infra, such as sk_buff.
540
541	  If unsure, say N.
542
543endif   # if NET
544