xref: /linux/net/Kconfig (revision 00c94ca2b99e6610e483f92e531b319eeaed94aa) 
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# Network configuration
4#
5
6menuconfig NET
7	bool "Networking support"
8	select NLATTR
9	select GENERIC_NET_UTILS
10	select BPF
11	help
12	  Unless you really know what you are doing, you should say Y here.
13	  The reason is that some programs need kernel networking support even
14	  when running on a stand-alone machine that isn't connected to any
15	  other computer.
16
17	  If you are upgrading from an older kernel, you
18	  should consider updating your networking tools too because changes
19	  in the kernel and the tools often go hand in hand. The tools are
20	  contained in the package net-tools, the location and version number
21	  of which are given in <file:Documentation/Changes>.
22
23	  For a general introduction to Linux networking, it is highly
24	  recommended to read the NET-HOWTO, available from
25	  <http://www.tldp.org/docs.html#howto>.
26
27if NET
28
29config WANT_COMPAT_NETLINK_MESSAGES
30	bool
31	help
32	  This option can be selected by other options that need compat
33	  netlink messages.
34
35config COMPAT_NETLINK_MESSAGES
36	def_bool y
37	depends on COMPAT
38	depends on WEXT_CORE || WANT_COMPAT_NETLINK_MESSAGES
39	help
40	  This option makes it possible to send different netlink messages
41	  to tasks depending on whether the task is a compat task or not. To
42	  achieve this, you need to set skb_shinfo(skb)->frag_list to the
43	  compat skb before sending the skb, the netlink code will sort out
44	  which message to actually pass to the task.
45
46	  Newly written code should NEVER need this option but do
47	  compat-independent messages instead!
48
49config NET_INGRESS
50	bool
51
52config NET_EGRESS
53	bool
54
55config NET_XGRESS
56	select NET_INGRESS
57	select NET_EGRESS
58	bool
59
60config NET_REDIRECT
61	bool
62
63config SKB_DECRYPTED
64	bool
65
66config SKB_EXTENSIONS
67	bool
68
69config NET_DEVMEM
70	def_bool y
71	select GENERIC_ALLOCATOR
72	depends on DMA_SHARED_BUFFER
73	depends on PAGE_POOL
74
75config NET_SHAPER
76	bool
77
78config NET_CRC32C
79	bool
80	select CRC32
81
82menu "Networking options"
83
84source "net/packet/Kconfig"
85source "net/psp/Kconfig"
86source "net/unix/Kconfig"
87source "net/tls/Kconfig"
88source "net/xfrm/Kconfig"
89source "net/iucv/Kconfig"
90source "net/smc/Kconfig"
91source "net/xdp/Kconfig"
92
93config NET_HANDSHAKE
94	bool
95	depends on SUNRPC || NVME_TARGET_TCP || NVME_TCP
96	default y
97
98config NET_HANDSHAKE_KUNIT_TEST
99	tristate "KUnit tests for the handshake upcall mechanism" if !KUNIT_ALL_TESTS
100	default KUNIT_ALL_TESTS
101	depends on KUNIT
102	help
103	  This builds the KUnit tests for the handshake upcall mechanism.
104
105	  KUnit tests run during boot and output the results to the debug
106	  log in TAP format (https://testanything.org/). Only useful for
107	  kernel devs running KUnit test harness and are not for inclusion
108	  into a production build.
109
110	  For more information on KUnit and unit tests in general, refer
111	  to the KUnit documentation in Documentation/dev-tools/kunit/.
112
113config INET
114	bool "TCP/IP networking"
115	help
116	  These are the protocols used on the Internet and on most local
117	  Ethernets. It is highly recommended to say Y here (this will enlarge
118	  your kernel by about 400 KB), since some programs (e.g. the X window
119	  system) use TCP/IP even if your machine is not connected to any
120	  other computer. You will get the so-called loopback device which
121	  allows you to ping yourself (great fun, that!).
122
123	  For an excellent introduction to Linux networking, please read the
124	  Linux Networking HOWTO, available from
125	  <http://www.tldp.org/docs.html#howto>.
126
127	  If you say Y here and also to "/proc file system support" and
128	  "Sysctl support" below, you can change various aspects of the
129	  behavior of the TCP/IP code by writing to the (virtual) files in
130	  /proc/sys/net/ipv4/*; the options are explained in the file
131	  <file:Documentation/networking/ip-sysctl.rst>.
132
133	  Short answer: say Y.
134
135if INET
136source "net/ipv4/Kconfig"
137source "net/ipv6/Kconfig"
138source "net/netlabel/Kconfig"
139source "net/mptcp/Kconfig"
140
141endif # if INET
142
143config NETWORK_SECMARK
144	bool "Security Marking"
145	help
146	  This enables security marking of network packets, similar
147	  to nfmark, but designated for security purposes.
148	  If you are unsure how to answer this question, answer N.
149
150config NET_PTP_CLASSIFY
151	def_bool n
152
153config NETWORK_PHY_TIMESTAMPING
154	bool "Timestamping in PHY devices"
155	select NET_PTP_CLASSIFY
156	help
157	  This allows timestamping of network packets by PHYs (or
158	  other MII bus snooping devices) with hardware timestamping
159	  capabilities. This option adds some overhead in the transmit
160	  and receive paths.
161
162	  If you are unsure how to answer this question, answer N.
163
164menuconfig NETFILTER
165	bool "Network packet filtering framework (Netfilter)"
166	help
167	  Netfilter is a framework for filtering and mangling network packets
168	  that pass through your Linux box.
169
170	  The most common use of packet filtering is to run your Linux box as
171	  a firewall protecting a local network from the Internet. The type of
172	  firewall provided by this kernel support is called a "packet
173	  filter", which means that it can reject individual network packets
174	  based on type, source, destination etc. The other kind of firewall,
175	  a "proxy-based" one, is more secure but more intrusive and more
176	  bothersome to set up; it inspects the network traffic much more
177	  closely, modifies it and has knowledge about the higher level
178	  protocols, which a packet filter lacks. Moreover, proxy-based
179	  firewalls often require changes to the programs running on the local
180	  clients. Proxy-based firewalls don't need support by the kernel, but
181	  they are often combined with a packet filter, which only works if
182	  you say Y here.
183
184	  You should also say Y here if you intend to use your Linux box as
185	  the gateway to the Internet for a local network of machines without
186	  globally valid IP addresses. This is called "masquerading": if one
187	  of the computers on your local network wants to send something to
188	  the outside, your box can "masquerade" as that computer, i.e. it
189	  forwards the traffic to the intended outside destination, but
190	  modifies the packets to make it look like they came from the
191	  firewall box itself. It works both ways: if the outside host
192	  replies, the Linux box will silently forward the traffic to the
193	  correct local computer. This way, the computers on your local net
194	  are completely invisible to the outside world, even though they can
195	  reach the outside and can receive replies. It is even possible to
196	  run globally visible servers from within a masqueraded local network
197	  using a mechanism called portforwarding. Masquerading is also often
198	  called NAT (Network Address Translation).
199
200	  Another use of Netfilter is in transparent proxying: if a machine on
201	  the local network tries to connect to an outside host, your Linux
202	  box can transparently forward the traffic to a local server,
203	  typically a caching proxy server.
204
205	  Yet another use of Netfilter is building a bridging firewall. Using
206	  a bridge with Network packet filtering enabled makes iptables "see"
207	  the bridged traffic. For filtering on the lower network and Ethernet
208	  protocols over the bridge, use ebtables (under bridge netfilter
209	  configuration).
210
211	  Various modules exist for netfilter which replace the previous
212	  masquerading (ipmasqadm), packet filtering (ipchains), transparent
213	  proxying, and portforwarding mechanisms. Please see
214	  <file:Documentation/Changes> under "iptables" for the location of
215	  these packages.
216
217if NETFILTER
218
219config NETFILTER_ADVANCED
220	bool "Advanced netfilter configuration"
221	depends on NETFILTER
222	default y
223	help
224	  If you say Y here you can select between all the netfilter modules.
225	  If you say N the more unusual ones will not be shown and the
226	  basic ones needed by most people will default to 'M'.
227
228	  If unsure, say Y.
229
230config BRIDGE_NETFILTER
231	tristate "Bridged IP/ARP packets filtering"
232	depends on BRIDGE
233	depends on NETFILTER && INET
234	depends on NETFILTER_ADVANCED
235	select NETFILTER_FAMILY_BRIDGE
236	select SKB_EXTENSIONS
237	help
238	  Enabling this option will let arptables resp. iptables see bridged
239	  ARP resp. IP traffic. If you want a bridging firewall, you probably
240	  want this option enabled.
241	  Enabling or disabling this option doesn't enable or disable
242	  ebtables.
243
244	  If unsure, say N.
245
246source "net/netfilter/Kconfig"
247source "net/ipv4/netfilter/Kconfig"
248source "net/ipv6/netfilter/Kconfig"
249source "net/bridge/netfilter/Kconfig"
250
251endif # if NETFILTER
252
253source "net/sctp/Kconfig"
254source "net/rds/Kconfig"
255source "net/tipc/Kconfig"
256source "net/atm/Kconfig"
257source "net/l2tp/Kconfig"
258source "net/802/Kconfig"
259source "net/bridge/Kconfig"
260source "net/dsa/Kconfig"
261source "net/8021q/Kconfig"
262source "net/llc/Kconfig"
263source "net/appletalk/Kconfig"
264source "net/x25/Kconfig"
265source "net/lapb/Kconfig"
266source "net/phonet/Kconfig"
267source "net/6lowpan/Kconfig"
268source "net/ieee802154/Kconfig"
269source "net/mac802154/Kconfig"
270source "net/sched/Kconfig"
271source "net/dcb/Kconfig"
272source "net/dns_resolver/Kconfig"
273source "net/batman-adv/Kconfig"
274source "net/openvswitch/Kconfig"
275source "net/vmw_vsock/Kconfig"
276source "net/netlink/Kconfig"
277source "net/mpls/Kconfig"
278source "net/nsh/Kconfig"
279source "net/hsr/Kconfig"
280source "net/switchdev/Kconfig"
281source "net/l3mdev/Kconfig"
282source "net/qrtr/Kconfig"
283source "net/ncsi/Kconfig"
284
285config PCPU_DEV_REFCNT
286	bool "Use percpu variables to maintain network device refcount"
287	depends on SMP
288	default y
289	help
290	  network device refcount are using per cpu variables if this option is set.
291	  This can be forced to N to detect underflows (with a performance drop).
292
293config MAX_SKB_FRAGS
294	int "Maximum number of fragments per skb_shared_info"
295	range 17 45
296	default 17
297	help
298	  Having more fragments per skb_shared_info can help GRO efficiency.
299	  This helps BIG TCP workloads, but might expose bugs in some
300	  legacy drivers.
301	  This also increases memory overhead of small packets,
302	  and in drivers using build_skb().
303	  If unsure, say 17.
304
305config RPS
306	bool "Receive packet steering"
307	depends on SMP && SYSFS
308	default y
309	help
310	  Software receive side packet steering (RPS) distributes the
311	  load of received packet processing across multiple CPUs.
312
313config RFS_ACCEL
314	bool "Hardware acceleration of RFS"
315	depends on RPS
316	select CPU_RMAP
317	default y
318	help
319	  Allowing drivers for multiqueue hardware with flow filter tables to
320	  accelerate RFS.
321
322config SOCK_RX_QUEUE_MAPPING
323	bool
324
325config XPS
326	bool
327	depends on SMP
328	select SOCK_RX_QUEUE_MAPPING
329	default y
330
331config HWBM
332	bool
333
334config CGROUP_NET_PRIO
335	bool "Network priority cgroup"
336	depends on CGROUPS
337	select SOCK_CGROUP_DATA
338	help
339	  Cgroup subsystem for use in assigning processes to network priorities on
340	  a per-interface basis.
341
342config CGROUP_NET_CLASSID
343	bool "Network classid cgroup"
344	depends on CGROUPS
345	select SOCK_CGROUP_DATA
346	help
347	  Cgroup subsystem for use as general purpose socket classid marker that is
348	  being used in cls_cgroup and for netfilter matching.
349
350config NET_RX_BUSY_POLL
351	bool
352	default y if !PREEMPT_RT || (PREEMPT_RT && !NETCONSOLE)
353
354config BQL
355	bool
356	prompt "Enable Byte Queue Limits"
357	depends on SYSFS
358	select DQL
359	default y
360
361config BPF_STREAM_PARSER
362	bool "enable BPF STREAM_PARSER"
363	depends on INET
364	depends on BPF_SYSCALL
365	depends on CGROUP_BPF
366	select STREAM_PARSER
367	select NET_SOCK_MSG
368	help
369	  Enabling this allows a TCP stream parser to be used with
370	  BPF_MAP_TYPE_SOCKMAP.
371
372config NET_FLOW_LIMIT
373	bool "Net flow limit"
374	depends on RPS
375	default y
376	help
377	  The network stack has to drop packets when a receive processing CPU's
378	  backlog reaches netdev_max_backlog. If a few out of many active flows
379	  generate the vast majority of load, drop their traffic earlier to
380	  maintain capacity for the other flows. This feature provides servers
381	  with many clients some protection against DoS by a single (spoofed)
382	  flow that greatly exceeds average workload.
383
384menu "Network testing"
385
386config NET_PKTGEN
387	tristate "Packet Generator (USE WITH CAUTION)"
388	depends on INET && PROC_FS
389	help
390	  This module will inject preconfigured packets, at a configurable
391	  rate, out of a given interface.  It is used for network interface
392	  stress testing and performance analysis.  If you don't understand
393	  what was just said, you don't need it: say N.
394
395	  Documentation on how to use the packet generator can be found
396	  at <file:Documentation/networking/pktgen.rst>.
397
398	  To compile this code as a module, choose M here: the
399	  module will be called pktgen.
400
401config NET_DROP_MONITOR
402	tristate "Network packet drop alerting service"
403	depends on INET && TRACEPOINTS
404	help
405	  This feature provides an alerting service to userspace in the
406	  event that packets are discarded in the network stack.  Alerts
407	  are broadcast via netlink socket to any listening user space
408	  process.  If you don't need network drop alerts, or if you are ok
409	  just checking the various proc files and other utilities for
410	  drop statistics, say N here.
411
412endmenu # Network testing
413
414endmenu # Networking options
415
416source "net/ax25/Kconfig"
417source "net/can/Kconfig"
418source "net/bluetooth/Kconfig"
419source "net/rxrpc/Kconfig"
420source "net/kcm/Kconfig"
421source "net/strparser/Kconfig"
422source "net/mctp/Kconfig"
423
424config FIB_RULES
425	bool
426
427menuconfig WIRELESS
428	bool "Wireless"
429	depends on !S390
430	default y
431
432if WIRELESS
433
434source "net/wireless/Kconfig"
435source "net/mac80211/Kconfig"
436
437endif # WIRELESS
438
439source "net/rfkill/Kconfig"
440source "net/9p/Kconfig"
441source "net/caif/Kconfig"
442source "net/ceph/Kconfig"
443source "net/nfc/Kconfig"
444source "net/psample/Kconfig"
445source "net/ife/Kconfig"
446
447config LWTUNNEL
448	bool "Network light weight tunnels"
449	help
450	  This feature provides an infrastructure to support light weight
451	  tunnels like mpls. There is no netdevice associated with a light
452	  weight tunnel endpoint. Tunnel encapsulation parameters are stored
453	  with light weight tunnel state associated with fib routes.
454
455config LWTUNNEL_BPF
456	bool "Execute BPF program as route nexthop action"
457	depends on LWTUNNEL && INET
458	default y if LWTUNNEL=y
459	help
460	  Allows to run BPF programs as a nexthop action following a route
461	  lookup for incoming and outgoing packets.
462
463config DST_CACHE
464	bool
465	default n
466
467config GRO_CELLS
468	bool
469	default n
470
471config SOCK_VALIDATE_XMIT
472	bool
473
474config NET_IEEE8021Q_HELPERS
475	bool
476
477config NET_SELFTESTS
478	def_tristate PHYLIB
479	depends on PHYLIB && INET
480
481config NET_SOCK_MSG
482	bool
483	default n
484	help
485	  The NET_SOCK_MSG provides a framework for plain sockets (e.g. TCP) or
486	  ULPs (upper layer modules, e.g. TLS) to process L7 application data
487	  with the help of BPF programs.
488
489config NET_DEVLINK
490	bool
491	default n
492
493config PAGE_POOL
494	bool
495
496config PAGE_POOL_STATS
497	default n
498	bool "Page pool stats"
499	depends on PAGE_POOL
500	help
501	  Enable page pool statistics to track page allocation and recycling
502	  in page pools. This option incurs additional CPU cost in allocation
503	  and recycle paths and additional memory cost to store the statistics.
504	  These statistics are only available if this option is enabled and if
505	  the driver using the page pool supports exporting this data.
506
507	  If unsure, say N.
508
509config FAILOVER
510	tristate "Generic failover module"
511	help
512	  The failover module provides a generic interface for paravirtual
513	  drivers to register a netdev and a set of ops with a failover
514	  instance. The ops are used as event handlers that get called to
515	  handle netdev register/unregister/link change/name change events
516	  on slave pci ethernet devices with the same mac address as the
517	  failover netdev. This enables paravirtual drivers to use a
518	  VF as an accelerated low latency datapath. It also allows live
519	  migration of VMs with direct attached VFs by failing over to the
520	  paravirtual datapath when the VF is unplugged.
521
522config ETHTOOL_NETLINK
523	bool "Netlink interface for ethtool"
524	select DIMLIB
525	default y
526	help
527	  An alternative userspace interface for ethtool based on generic
528	  netlink. It provides better extensibility and some new features,
529	  e.g. notification messages.
530
531config NETDEV_ADDR_LIST_TEST
532	tristate "Unit tests for device address list"
533	default KUNIT_ALL_TESTS
534	depends on KUNIT
535
536config NET_TEST
537	tristate "KUnit tests for networking" if !KUNIT_ALL_TESTS
538	depends on KUNIT
539	default KUNIT_ALL_TESTS
540	help
541	  KUnit tests covering core networking infra, such as sk_buff.
542
543	  If unsure, say N.
544
545endif   # if NET
546