xref: /linux/net/Kconfig (revision be709d48329a500621d2a05835283150ae137b45)
1#
2# Network configuration
3#
4
5menuconfig NET
6	bool "Networking support"
7	select NLATTR
8	select GENERIC_NET_UTILS
9	select BPF
10	---help---
11	  Unless you really know what you are doing, you should say Y here.
12	  The reason is that some programs need kernel networking support even
13	  when running on a stand-alone machine that isn't connected to any
14	  other computer.
15
16	  If you are upgrading from an older kernel, you
17	  should consider updating your networking tools too because changes
18	  in the kernel and the tools often go hand in hand. The tools are
19	  contained in the package net-tools, the location and version number
20	  of which are given in <file:Documentation/Changes>.
21
22	  For a general introduction to Linux networking, it is highly
23	  recommended to read the NET-HOWTO, available from
24	  <http://www.tldp.org/docs.html#howto>.
25
26if NET
27
28config WANT_COMPAT_NETLINK_MESSAGES
29	bool
30	help
31	  This option can be selected by other options that need compat
32	  netlink messages.
33
34config COMPAT_NETLINK_MESSAGES
35	def_bool y
36	depends on COMPAT
37	depends on WEXT_CORE || WANT_COMPAT_NETLINK_MESSAGES
38	help
39	  This option makes it possible to send different netlink messages
40	  to tasks depending on whether the task is a compat task or not. To
41	  achieve this, you need to set skb_shinfo(skb)->frag_list to the
42	  compat skb before sending the skb, the netlink code will sort out
43	  which message to actually pass to the task.
44
45	  Newly written code should NEVER need this option but do
46	  compat-independent messages instead!
47
48config NET_INGRESS
49	bool
50
51config NET_EGRESS
52	bool
53
54config SKB_EXTENSIONS
55	bool
56
57menu "Networking options"
58
59source "net/packet/Kconfig"
60source "net/unix/Kconfig"
61source "net/tls/Kconfig"
62source "net/xfrm/Kconfig"
63source "net/iucv/Kconfig"
64source "net/smc/Kconfig"
65source "net/xdp/Kconfig"
66
67config INET
68	bool "TCP/IP networking"
69	select CRYPTO
70	select CRYPTO_AES
71	---help---
72	  These are the protocols used on the Internet and on most local
73	  Ethernets. It is highly recommended to say Y here (this will enlarge
74	  your kernel by about 400 KB), since some programs (e.g. the X window
75	  system) use TCP/IP even if your machine is not connected to any
76	  other computer. You will get the so-called loopback device which
77	  allows you to ping yourself (great fun, that!).
78
79	  For an excellent introduction to Linux networking, please read the
80	  Linux Networking HOWTO, available from
81	  <http://www.tldp.org/docs.html#howto>.
82
83	  If you say Y here and also to "/proc file system support" and
84	  "Sysctl support" below, you can change various aspects of the
85	  behavior of the TCP/IP code by writing to the (virtual) files in
86	  /proc/sys/net/ipv4/*; the options are explained in the file
87	  <file:Documentation/networking/ip-sysctl.txt>.
88
89	  Short answer: say Y.
90
91if INET
92source "net/ipv4/Kconfig"
93source "net/ipv6/Kconfig"
94source "net/netlabel/Kconfig"
95
96endif # if INET
97
98config NETWORK_SECMARK
99	bool "Security Marking"
100	help
101	  This enables security marking of network packets, similar
102	  to nfmark, but designated for security purposes.
103	  If you are unsure how to answer this question, answer N.
104
105config NET_PTP_CLASSIFY
106	def_bool n
107
108config NETWORK_PHY_TIMESTAMPING
109	bool "Timestamping in PHY devices"
110	select NET_PTP_CLASSIFY
111	help
112	  This allows timestamping of network packets by PHYs with
113	  hardware timestamping capabilities. This option adds some
114	  overhead in the transmit and receive paths.
115
116	  If you are unsure how to answer this question, answer N.
117
118menuconfig NETFILTER
119	bool "Network packet filtering framework (Netfilter)"
120	---help---
121	  Netfilter is a framework for filtering and mangling network packets
122	  that pass through your Linux box.
123
124	  The most common use of packet filtering is to run your Linux box as
125	  a firewall protecting a local network from the Internet. The type of
126	  firewall provided by this kernel support is called a "packet
127	  filter", which means that it can reject individual network packets
128	  based on type, source, destination etc. The other kind of firewall,
129	  a "proxy-based" one, is more secure but more intrusive and more
130	  bothersome to set up; it inspects the network traffic much more
131	  closely, modifies it and has knowledge about the higher level
132	  protocols, which a packet filter lacks. Moreover, proxy-based
133	  firewalls often require changes to the programs running on the local
134	  clients. Proxy-based firewalls don't need support by the kernel, but
135	  they are often combined with a packet filter, which only works if
136	  you say Y here.
137
138	  You should also say Y here if you intend to use your Linux box as
139	  the gateway to the Internet for a local network of machines without
140	  globally valid IP addresses. This is called "masquerading": if one
141	  of the computers on your local network wants to send something to
142	  the outside, your box can "masquerade" as that computer, i.e. it
143	  forwards the traffic to the intended outside destination, but
144	  modifies the packets to make it look like they came from the
145	  firewall box itself. It works both ways: if the outside host
146	  replies, the Linux box will silently forward the traffic to the
147	  correct local computer. This way, the computers on your local net
148	  are completely invisible to the outside world, even though they can
149	  reach the outside and can receive replies. It is even possible to
150	  run globally visible servers from within a masqueraded local network
151	  using a mechanism called portforwarding. Masquerading is also often
152	  called NAT (Network Address Translation).
153
154	  Another use of Netfilter is in transparent proxying: if a machine on
155	  the local network tries to connect to an outside host, your Linux
156	  box can transparently forward the traffic to a local server,
157	  typically a caching proxy server.
158
159	  Yet another use of Netfilter is building a bridging firewall. Using
160	  a bridge with Network packet filtering enabled makes iptables "see"
161	  the bridged traffic. For filtering on the lower network and Ethernet
162	  protocols over the bridge, use ebtables (under bridge netfilter
163	  configuration).
164
165	  Various modules exist for netfilter which replace the previous
166	  masquerading (ipmasqadm), packet filtering (ipchains), transparent
167	  proxying, and portforwarding mechanisms. Please see
168	  <file:Documentation/Changes> under "iptables" for the location of
169	  these packages.
170
171if NETFILTER
172
173config NETFILTER_ADVANCED
174	bool "Advanced netfilter configuration"
175	depends on NETFILTER
176	default y
177	help
178	  If you say Y here you can select between all the netfilter modules.
179	  If you say N the more unusual ones will not be shown and the
180	  basic ones needed by most people will default to 'M'.
181
182	  If unsure, say Y.
183
184config BRIDGE_NETFILTER
185	tristate "Bridged IP/ARP packets filtering"
186	depends on BRIDGE
187	depends on NETFILTER && INET
188	depends on NETFILTER_ADVANCED
189	select NETFILTER_FAMILY_BRIDGE
190	select SKB_EXTENSIONS
191	default m
192	---help---
193	  Enabling this option will let arptables resp. iptables see bridged
194	  ARP resp. IP traffic. If you want a bridging firewall, you probably
195	  want this option enabled.
196	  Enabling or disabling this option doesn't enable or disable
197	  ebtables.
198
199	  If unsure, say N.
200
201source "net/netfilter/Kconfig"
202source "net/ipv4/netfilter/Kconfig"
203source "net/ipv6/netfilter/Kconfig"
204source "net/decnet/netfilter/Kconfig"
205source "net/bridge/netfilter/Kconfig"
206
207endif
208
209source "net/bpfilter/Kconfig"
210
211source "net/dccp/Kconfig"
212source "net/sctp/Kconfig"
213source "net/rds/Kconfig"
214source "net/tipc/Kconfig"
215source "net/atm/Kconfig"
216source "net/l2tp/Kconfig"
217source "net/802/Kconfig"
218source "net/bridge/Kconfig"
219source "net/dsa/Kconfig"
220source "net/8021q/Kconfig"
221source "net/decnet/Kconfig"
222source "net/llc/Kconfig"
223source "drivers/net/appletalk/Kconfig"
224source "net/x25/Kconfig"
225source "net/lapb/Kconfig"
226source "net/phonet/Kconfig"
227source "net/6lowpan/Kconfig"
228source "net/ieee802154/Kconfig"
229source "net/mac802154/Kconfig"
230source "net/sched/Kconfig"
231source "net/dcb/Kconfig"
232source "net/dns_resolver/Kconfig"
233source "net/batman-adv/Kconfig"
234source "net/openvswitch/Kconfig"
235source "net/vmw_vsock/Kconfig"
236source "net/netlink/Kconfig"
237source "net/mpls/Kconfig"
238source "net/nsh/Kconfig"
239source "net/hsr/Kconfig"
240source "net/switchdev/Kconfig"
241source "net/l3mdev/Kconfig"
242source "net/qrtr/Kconfig"
243source "net/ncsi/Kconfig"
244
245config RPS
246	bool
247	depends on SMP && SYSFS
248	default y
249
250config RFS_ACCEL
251	bool
252	depends on RPS
253	select CPU_RMAP
254	default y
255
256config XPS
257	bool
258	depends on SMP
259	default y
260
261config HWBM
262       bool
263
264config CGROUP_NET_PRIO
265	bool "Network priority cgroup"
266	depends on CGROUPS
267	select SOCK_CGROUP_DATA
268	---help---
269	  Cgroup subsystem for use in assigning processes to network priorities on
270	  a per-interface basis.
271
272config CGROUP_NET_CLASSID
273	bool "Network classid cgroup"
274	depends on CGROUPS
275	select SOCK_CGROUP_DATA
276	---help---
277	  Cgroup subsystem for use as general purpose socket classid marker that is
278	  being used in cls_cgroup and for netfilter matching.
279
280config NET_RX_BUSY_POLL
281	bool
282	default y
283
284config BQL
285	bool
286	depends on SYSFS
287	select DQL
288	default y
289
290config BPF_JIT
291	bool "enable BPF Just In Time compiler"
292	depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
293	depends on MODULES
294	---help---
295	  Berkeley Packet Filter filtering capabilities are normally handled
296	  by an interpreter. This option allows kernel to generate a native
297	  code when filter is loaded in memory. This should speedup
298	  packet sniffing (libpcap/tcpdump).
299
300	  Note, admin should enable this feature changing:
301	  /proc/sys/net/core/bpf_jit_enable
302	  /proc/sys/net/core/bpf_jit_harden   (optional)
303	  /proc/sys/net/core/bpf_jit_kallsyms (optional)
304
305config BPF_STREAM_PARSER
306	bool "enable BPF STREAM_PARSER"
307	depends on INET
308	depends on BPF_SYSCALL
309	depends on CGROUP_BPF
310	select STREAM_PARSER
311	select NET_SOCK_MSG
312	---help---
313	 Enabling this allows a stream parser to be used with
314	 BPF_MAP_TYPE_SOCKMAP.
315
316	 BPF_MAP_TYPE_SOCKMAP provides a map type to use with network sockets.
317	 It can be used to enforce socket policy, implement socket redirects,
318	 etc.
319
320config NET_FLOW_LIMIT
321	bool
322	depends on RPS
323	default y
324	---help---
325	  The network stack has to drop packets when a receive processing CPU's
326	  backlog reaches netdev_max_backlog. If a few out of many active flows
327	  generate the vast majority of load, drop their traffic earlier to
328	  maintain capacity for the other flows. This feature provides servers
329	  with many clients some protection against DoS by a single (spoofed)
330	  flow that greatly exceeds average workload.
331
332menu "Network testing"
333
334config NET_PKTGEN
335	tristate "Packet Generator (USE WITH CAUTION)"
336	depends on INET && PROC_FS
337	---help---
338	  This module will inject preconfigured packets, at a configurable
339	  rate, out of a given interface.  It is used for network interface
340	  stress testing and performance analysis.  If you don't understand
341	  what was just said, you don't need it: say N.
342
343	  Documentation on how to use the packet generator can be found
344	  at <file:Documentation/networking/pktgen.txt>.
345
346	  To compile this code as a module, choose M here: the
347	  module will be called pktgen.
348
349config NET_DROP_MONITOR
350	tristate "Network packet drop alerting service"
351	depends on INET && TRACEPOINTS
352	---help---
353	This feature provides an alerting service to userspace in the
354	event that packets are discarded in the network stack.  Alerts
355	are broadcast via netlink socket to any listening user space
356	process.  If you don't need network drop alerts, or if you are ok
357	just checking the various proc files and other utilities for
358	drop statistics, say N here.
359
360endmenu
361
362endmenu
363
364source "net/ax25/Kconfig"
365source "net/can/Kconfig"
366source "net/bluetooth/Kconfig"
367source "net/rxrpc/Kconfig"
368source "net/kcm/Kconfig"
369source "net/strparser/Kconfig"
370
371config FIB_RULES
372	bool
373
374menuconfig WIRELESS
375	bool "Wireless"
376	depends on !S390
377	default y
378
379if WIRELESS
380
381source "net/wireless/Kconfig"
382source "net/mac80211/Kconfig"
383
384endif # WIRELESS
385
386source "net/wimax/Kconfig"
387
388source "net/rfkill/Kconfig"
389source "net/9p/Kconfig"
390source "net/caif/Kconfig"
391source "net/ceph/Kconfig"
392source "net/nfc/Kconfig"
393source "net/psample/Kconfig"
394source "net/ife/Kconfig"
395
396config LWTUNNEL
397	bool "Network light weight tunnels"
398	---help---
399	  This feature provides an infrastructure to support light weight
400	  tunnels like mpls. There is no netdevice associated with a light
401	  weight tunnel endpoint. Tunnel encapsulation parameters are stored
402	  with light weight tunnel state associated with fib routes.
403
404config LWTUNNEL_BPF
405	bool "Execute BPF program as route nexthop action"
406	depends on LWTUNNEL && INET
407	default y if LWTUNNEL=y
408	---help---
409	  Allows to run BPF programs as a nexthop action following a route
410	  lookup for incoming and outgoing packets.
411
412config DST_CACHE
413	bool
414	default n
415
416config GRO_CELLS
417	bool
418	default n
419
420config SOCK_VALIDATE_XMIT
421	bool
422
423config NET_SOCK_MSG
424	bool
425	default n
426	help
427	  The NET_SOCK_MSG provides a framework for plain sockets (e.g. TCP) or
428	  ULPs (upper layer modules, e.g. TLS) to process L7 application data
429	  with the help of BPF programs.
430
431config NET_DEVLINK
432	bool "Network physical/parent device Netlink interface"
433	help
434	  Network physical/parent device Netlink interface provides
435	  infrastructure to support access to physical chip-wide config and
436	  monitoring.
437
438config PAGE_POOL
439       bool
440
441config FAILOVER
442	tristate "Generic failover module"
443	help
444	  The failover module provides a generic interface for paravirtual
445	  drivers to register a netdev and a set of ops with a failover
446	  instance. The ops are used as event handlers that get called to
447	  handle netdev register/unregister/link change/name change events
448	  on slave pci ethernet devices with the same mac address as the
449	  failover netdev. This enables paravirtual drivers to use a
450	  VF as an accelerated low latency datapath. It also allows live
451	  migration of VMs with direct attached VFs by failing over to the
452	  paravirtual datapath when the VF is unplugged.
453
454endif   # if NET
455
456# Used by archs to tell that they support BPF JIT compiler plus which flavour.
457# Only one of the two can be selected for a specific arch since eBPF JIT supersedes
458# the cBPF JIT.
459
460# Classic BPF JIT (cBPF)
461config HAVE_CBPF_JIT
462	bool
463
464# Extended BPF JIT (eBPF)
465config HAVE_EBPF_JIT
466	bool
467