xref: /linux/net/Kconfig (revision cded7e0479c9340d7859841f2c0fd1aabf8f6294) 
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# Network configuration
4#
5
6menuconfig NET
7	bool "Networking support"
8	select NLATTR
9	select GENERIC_NET_UTILS
10	select BPF
11	help
12	  Unless you really know what you are doing, you should say Y here.
13	  The reason is that some programs need kernel networking support even
14	  when running on a stand-alone machine that isn't connected to any
15	  other computer.
16
17	  If you are upgrading from an older kernel, you
18	  should consider updating your networking tools too because changes
19	  in the kernel and the tools often go hand in hand. The tools are
20	  contained in the package net-tools, the location and version number
21	  of which are given in <file:Documentation/Changes>.
22
23	  For a general introduction to Linux networking, it is highly
24	  recommended to read the NET-HOWTO, available from
25	  <http://www.tldp.org/docs.html#howto>.
26
27if NET
28
29config WANT_COMPAT_NETLINK_MESSAGES
30	bool
31	help
32	  This option can be selected by other options that need compat
33	  netlink messages.
34
35config COMPAT_NETLINK_MESSAGES
36	def_bool y
37	depends on COMPAT
38	depends on WEXT_CORE || WANT_COMPAT_NETLINK_MESSAGES
39	help
40	  This option makes it possible to send different netlink messages
41	  to tasks depending on whether the task is a compat task or not. To
42	  achieve this, you need to set skb_shinfo(skb)->frag_list to the
43	  compat skb before sending the skb, the netlink code will sort out
44	  which message to actually pass to the task.
45
46	  Newly written code should NEVER need this option but do
47	  compat-independent messages instead!
48
49config NET_INGRESS
50	bool
51
52config NET_EGRESS
53	bool
54
55config NET_XGRESS
56	select NET_INGRESS
57	select NET_EGRESS
58	bool
59
60config NET_REDIRECT
61	bool
62
63config SKB_DECRYPTED
64	bool
65
66config SKB_EXTENSIONS
67	bool
68
69config NET_DEVMEM
70	def_bool y
71	depends on DMA_SHARED_BUFFER
72	depends on GENERIC_ALLOCATOR
73
74menu "Networking options"
75
76source "net/packet/Kconfig"
77source "net/unix/Kconfig"
78source "net/tls/Kconfig"
79source "net/xfrm/Kconfig"
80source "net/iucv/Kconfig"
81source "net/smc/Kconfig"
82source "net/xdp/Kconfig"
83
84config NET_HANDSHAKE
85	bool
86	depends on SUNRPC || NVME_TARGET_TCP || NVME_TCP
87	default y
88
89config NET_HANDSHAKE_KUNIT_TEST
90	tristate "KUnit tests for the handshake upcall mechanism" if !KUNIT_ALL_TESTS
91	default KUNIT_ALL_TESTS
92	depends on KUNIT
93	help
94	  This builds the KUnit tests for the handshake upcall mechanism.
95
96	  KUnit tests run during boot and output the results to the debug
97	  log in TAP format (https://testanything.org/). Only useful for
98	  kernel devs running KUnit test harness and are not for inclusion
99	  into a production build.
100
101	  For more information on KUnit and unit tests in general, refer
102	  to the KUnit documentation in Documentation/dev-tools/kunit/.
103
104config INET
105	bool "TCP/IP networking"
106	help
107	  These are the protocols used on the Internet and on most local
108	  Ethernets. It is highly recommended to say Y here (this will enlarge
109	  your kernel by about 400 KB), since some programs (e.g. the X window
110	  system) use TCP/IP even if your machine is not connected to any
111	  other computer. You will get the so-called loopback device which
112	  allows you to ping yourself (great fun, that!).
113
114	  For an excellent introduction to Linux networking, please read the
115	  Linux Networking HOWTO, available from
116	  <http://www.tldp.org/docs.html#howto>.
117
118	  If you say Y here and also to "/proc file system support" and
119	  "Sysctl support" below, you can change various aspects of the
120	  behavior of the TCP/IP code by writing to the (virtual) files in
121	  /proc/sys/net/ipv4/*; the options are explained in the file
122	  <file:Documentation/networking/ip-sysctl.rst>.
123
124	  Short answer: say Y.
125
126if INET
127source "net/ipv4/Kconfig"
128source "net/ipv6/Kconfig"
129source "net/netlabel/Kconfig"
130source "net/mptcp/Kconfig"
131
132endif # if INET
133
134config NETWORK_SECMARK
135	bool "Security Marking"
136	help
137	  This enables security marking of network packets, similar
138	  to nfmark, but designated for security purposes.
139	  If you are unsure how to answer this question, answer N.
140
141config NET_PTP_CLASSIFY
142	def_bool n
143
144config NETWORK_PHY_TIMESTAMPING
145	bool "Timestamping in PHY devices"
146	select NET_PTP_CLASSIFY
147	help
148	  This allows timestamping of network packets by PHYs (or
149	  other MII bus snooping devices) with hardware timestamping
150	  capabilities. This option adds some overhead in the transmit
151	  and receive paths.
152
153	  If you are unsure how to answer this question, answer N.
154
155menuconfig NETFILTER
156	bool "Network packet filtering framework (Netfilter)"
157	help
158	  Netfilter is a framework for filtering and mangling network packets
159	  that pass through your Linux box.
160
161	  The most common use of packet filtering is to run your Linux box as
162	  a firewall protecting a local network from the Internet. The type of
163	  firewall provided by this kernel support is called a "packet
164	  filter", which means that it can reject individual network packets
165	  based on type, source, destination etc. The other kind of firewall,
166	  a "proxy-based" one, is more secure but more intrusive and more
167	  bothersome to set up; it inspects the network traffic much more
168	  closely, modifies it and has knowledge about the higher level
169	  protocols, which a packet filter lacks. Moreover, proxy-based
170	  firewalls often require changes to the programs running on the local
171	  clients. Proxy-based firewalls don't need support by the kernel, but
172	  they are often combined with a packet filter, which only works if
173	  you say Y here.
174
175	  You should also say Y here if you intend to use your Linux box as
176	  the gateway to the Internet for a local network of machines without
177	  globally valid IP addresses. This is called "masquerading": if one
178	  of the computers on your local network wants to send something to
179	  the outside, your box can "masquerade" as that computer, i.e. it
180	  forwards the traffic to the intended outside destination, but
181	  modifies the packets to make it look like they came from the
182	  firewall box itself. It works both ways: if the outside host
183	  replies, the Linux box will silently forward the traffic to the
184	  correct local computer. This way, the computers on your local net
185	  are completely invisible to the outside world, even though they can
186	  reach the outside and can receive replies. It is even possible to
187	  run globally visible servers from within a masqueraded local network
188	  using a mechanism called portforwarding. Masquerading is also often
189	  called NAT (Network Address Translation).
190
191	  Another use of Netfilter is in transparent proxying: if a machine on
192	  the local network tries to connect to an outside host, your Linux
193	  box can transparently forward the traffic to a local server,
194	  typically a caching proxy server.
195
196	  Yet another use of Netfilter is building a bridging firewall. Using
197	  a bridge with Network packet filtering enabled makes iptables "see"
198	  the bridged traffic. For filtering on the lower network and Ethernet
199	  protocols over the bridge, use ebtables (under bridge netfilter
200	  configuration).
201
202	  Various modules exist for netfilter which replace the previous
203	  masquerading (ipmasqadm), packet filtering (ipchains), transparent
204	  proxying, and portforwarding mechanisms. Please see
205	  <file:Documentation/Changes> under "iptables" for the location of
206	  these packages.
207
208if NETFILTER
209
210config NETFILTER_ADVANCED
211	bool "Advanced netfilter configuration"
212	depends on NETFILTER
213	default y
214	help
215	  If you say Y here you can select between all the netfilter modules.
216	  If you say N the more unusual ones will not be shown and the
217	  basic ones needed by most people will default to 'M'.
218
219	  If unsure, say Y.
220
221config BRIDGE_NETFILTER
222	tristate "Bridged IP/ARP packets filtering"
223	depends on BRIDGE
224	depends on NETFILTER && INET
225	depends on NETFILTER_ADVANCED
226	select NETFILTER_FAMILY_BRIDGE
227	select SKB_EXTENSIONS
228	help
229	  Enabling this option will let arptables resp. iptables see bridged
230	  ARP resp. IP traffic. If you want a bridging firewall, you probably
231	  want this option enabled.
232	  Enabling or disabling this option doesn't enable or disable
233	  ebtables.
234
235	  If unsure, say N.
236
237source "net/netfilter/Kconfig"
238source "net/ipv4/netfilter/Kconfig"
239source "net/ipv6/netfilter/Kconfig"
240source "net/bridge/netfilter/Kconfig"
241
242endif
243
244source "net/dccp/Kconfig"
245source "net/sctp/Kconfig"
246source "net/rds/Kconfig"
247source "net/tipc/Kconfig"
248source "net/atm/Kconfig"
249source "net/l2tp/Kconfig"
250source "net/802/Kconfig"
251source "net/bridge/Kconfig"
252source "net/dsa/Kconfig"
253source "net/8021q/Kconfig"
254source "net/llc/Kconfig"
255source "net/appletalk/Kconfig"
256source "net/x25/Kconfig"
257source "net/lapb/Kconfig"
258source "net/phonet/Kconfig"
259source "net/6lowpan/Kconfig"
260source "net/ieee802154/Kconfig"
261source "net/mac802154/Kconfig"
262source "net/sched/Kconfig"
263source "net/dcb/Kconfig"
264source "net/dns_resolver/Kconfig"
265source "net/batman-adv/Kconfig"
266source "net/openvswitch/Kconfig"
267source "net/vmw_vsock/Kconfig"
268source "net/netlink/Kconfig"
269source "net/mpls/Kconfig"
270source "net/nsh/Kconfig"
271source "net/hsr/Kconfig"
272source "net/switchdev/Kconfig"
273source "net/l3mdev/Kconfig"
274source "net/qrtr/Kconfig"
275source "net/ncsi/Kconfig"
276
277config PCPU_DEV_REFCNT
278	bool "Use percpu variables to maintain network device refcount"
279	depends on SMP
280	default y
281	help
282	  network device refcount are using per cpu variables if this option is set.
283	  This can be forced to N to detect underflows (with a performance drop).
284
285config MAX_SKB_FRAGS
286	int "Maximum number of fragments per skb_shared_info"
287	range 17 45
288	default 17
289	help
290	  Having more fragments per skb_shared_info can help GRO efficiency.
291	  This helps BIG TCP workloads, but might expose bugs in some
292	  legacy drivers.
293	  This also increases memory overhead of small packets,
294	  and in drivers using build_skb().
295	  If unsure, say 17.
296
297config RPS
298	bool "Receive packet steering"
299	depends on SMP && SYSFS
300	default y
301	help
302	  Software receive side packet steering (RPS) distributes the
303	  load of received packet processing across multiple CPUs.
304
305config RFS_ACCEL
306	bool "Hardware acceleration of RFS"
307	depends on RPS
308	select CPU_RMAP
309	default y
310	help
311	  Allowing drivers for multiqueue hardware with flow filter tables to
312	  accelerate RFS.
313
314config SOCK_RX_QUEUE_MAPPING
315	bool
316
317config XPS
318	bool
319	depends on SMP
320	select SOCK_RX_QUEUE_MAPPING
321	default y
322
323config HWBM
324	bool
325
326config CGROUP_NET_PRIO
327	bool "Network priority cgroup"
328	depends on CGROUPS
329	select SOCK_CGROUP_DATA
330	help
331	  Cgroup subsystem for use in assigning processes to network priorities on
332	  a per-interface basis.
333
334config CGROUP_NET_CLASSID
335	bool "Network classid cgroup"
336	depends on CGROUPS
337	select SOCK_CGROUP_DATA
338	help
339	  Cgroup subsystem for use as general purpose socket classid marker that is
340	  being used in cls_cgroup and for netfilter matching.
341
342config NET_RX_BUSY_POLL
343	bool
344	default y if !PREEMPT_RT || (PREEMPT_RT && !NETCONSOLE)
345
346config BQL
347	bool
348	prompt "Enable Byte Queue Limits"
349	depends on SYSFS
350	select DQL
351	default y
352
353config BPF_STREAM_PARSER
354	bool "enable BPF STREAM_PARSER"
355	depends on INET
356	depends on BPF_SYSCALL
357	depends on CGROUP_BPF
358	select STREAM_PARSER
359	select NET_SOCK_MSG
360	help
361	  Enabling this allows a TCP stream parser to be used with
362	  BPF_MAP_TYPE_SOCKMAP.
363
364config NET_FLOW_LIMIT
365	bool "Net flow limit"
366	depends on RPS
367	default y
368	help
369	  The network stack has to drop packets when a receive processing CPU's
370	  backlog reaches netdev_max_backlog. If a few out of many active flows
371	  generate the vast majority of load, drop their traffic earlier to
372	  maintain capacity for the other flows. This feature provides servers
373	  with many clients some protection against DoS by a single (spoofed)
374	  flow that greatly exceeds average workload.
375
376menu "Network testing"
377
378config NET_PKTGEN
379	tristate "Packet Generator (USE WITH CAUTION)"
380	depends on INET && PROC_FS
381	help
382	  This module will inject preconfigured packets, at a configurable
383	  rate, out of a given interface.  It is used for network interface
384	  stress testing and performance analysis.  If you don't understand
385	  what was just said, you don't need it: say N.
386
387	  Documentation on how to use the packet generator can be found
388	  at <file:Documentation/networking/pktgen.rst>.
389
390	  To compile this code as a module, choose M here: the
391	  module will be called pktgen.
392
393config NET_DROP_MONITOR
394	tristate "Network packet drop alerting service"
395	depends on INET && TRACEPOINTS
396	help
397	  This feature provides an alerting service to userspace in the
398	  event that packets are discarded in the network stack.  Alerts
399	  are broadcast via netlink socket to any listening user space
400	  process.  If you don't need network drop alerts, or if you are ok
401	  just checking the various proc files and other utilities for
402	  drop statistics, say N here.
403
404endmenu
405
406endmenu
407
408source "net/ax25/Kconfig"
409source "net/can/Kconfig"
410source "net/bluetooth/Kconfig"
411source "net/rxrpc/Kconfig"
412source "net/kcm/Kconfig"
413source "net/strparser/Kconfig"
414source "net/mctp/Kconfig"
415
416config FIB_RULES
417	bool
418
419menuconfig WIRELESS
420	bool "Wireless"
421	depends on !S390
422	default y
423
424if WIRELESS
425
426source "net/wireless/Kconfig"
427source "net/mac80211/Kconfig"
428
429endif # WIRELESS
430
431source "net/rfkill/Kconfig"
432source "net/9p/Kconfig"
433source "net/caif/Kconfig"
434source "net/ceph/Kconfig"
435source "net/nfc/Kconfig"
436source "net/psample/Kconfig"
437source "net/ife/Kconfig"
438
439config LWTUNNEL
440	bool "Network light weight tunnels"
441	help
442	  This feature provides an infrastructure to support light weight
443	  tunnels like mpls. There is no netdevice associated with a light
444	  weight tunnel endpoint. Tunnel encapsulation parameters are stored
445	  with light weight tunnel state associated with fib routes.
446
447config LWTUNNEL_BPF
448	bool "Execute BPF program as route nexthop action"
449	depends on LWTUNNEL && INET
450	default y if LWTUNNEL=y
451	help
452	  Allows to run BPF programs as a nexthop action following a route
453	  lookup for incoming and outgoing packets.
454
455config DST_CACHE
456	bool
457	default n
458
459config GRO_CELLS
460	bool
461	default n
462
463config SOCK_VALIDATE_XMIT
464	bool
465
466config NET_IEEE8021Q_HELPERS
467	bool
468
469config NET_SELFTESTS
470	def_tristate PHYLIB
471	depends on PHYLIB && INET
472
473config NET_SOCK_MSG
474	bool
475	default n
476	help
477	  The NET_SOCK_MSG provides a framework for plain sockets (e.g. TCP) or
478	  ULPs (upper layer modules, e.g. TLS) to process L7 application data
479	  with the help of BPF programs.
480
481config NET_DEVLINK
482	bool
483	default n
484
485config PAGE_POOL
486	bool
487
488config PAGE_POOL_STATS
489	default n
490	bool "Page pool stats"
491	depends on PAGE_POOL
492	help
493	  Enable page pool statistics to track page allocation and recycling
494	  in page pools. This option incurs additional CPU cost in allocation
495	  and recycle paths and additional memory cost to store the statistics.
496	  These statistics are only available if this option is enabled and if
497	  the driver using the page pool supports exporting this data.
498
499	  If unsure, say N.
500
501config FAILOVER
502	tristate "Generic failover module"
503	help
504	  The failover module provides a generic interface for paravirtual
505	  drivers to register a netdev and a set of ops with a failover
506	  instance. The ops are used as event handlers that get called to
507	  handle netdev register/unregister/link change/name change events
508	  on slave pci ethernet devices with the same mac address as the
509	  failover netdev. This enables paravirtual drivers to use a
510	  VF as an accelerated low latency datapath. It also allows live
511	  migration of VMs with direct attached VFs by failing over to the
512	  paravirtual datapath when the VF is unplugged.
513
514config ETHTOOL_NETLINK
515	bool "Netlink interface for ethtool"
516	select DIMLIB
517	default y
518	help
519	  An alternative userspace interface for ethtool based on generic
520	  netlink. It provides better extensibility and some new features,
521	  e.g. notification messages.
522
523config NETDEV_ADDR_LIST_TEST
524	tristate "Unit tests for device address list"
525	default KUNIT_ALL_TESTS
526	depends on KUNIT
527
528config NET_TEST
529	tristate "KUnit tests for networking" if !KUNIT_ALL_TESTS
530	depends on KUNIT
531	default KUNIT_ALL_TESTS
532	help
533	  KUnit tests covering core networking infra, such as sk_buff.
534
535	  If unsure, say N.
536
537endif   # if NET
538