xref: /linux/net/Kconfig (revision e58e871becec2d3b04ed91c0c16fe8deac9c9dfa)
1#
2# Network configuration
3#
4
5menuconfig NET
6	bool "Networking support"
7	select NLATTR
8	select GENERIC_NET_UTILS
9	select BPF
10	---help---
11	  Unless you really know what you are doing, you should say Y here.
12	  The reason is that some programs need kernel networking support even
13	  when running on a stand-alone machine that isn't connected to any
14	  other computer.
15
16	  If you are upgrading from an older kernel, you
17	  should consider updating your networking tools too because changes
18	  in the kernel and the tools often go hand in hand. The tools are
19	  contained in the package net-tools, the location and version number
20	  of which are given in <file:Documentation/Changes>.
21
22	  For a general introduction to Linux networking, it is highly
23	  recommended to read the NET-HOWTO, available from
24	  <http://www.tldp.org/docs.html#howto>.
25
26if NET
27
28config WANT_COMPAT_NETLINK_MESSAGES
29	bool
30	help
31	  This option can be selected by other options that need compat
32	  netlink messages.
33
34config COMPAT_NETLINK_MESSAGES
35	def_bool y
36	depends on COMPAT
37	depends on WEXT_CORE || WANT_COMPAT_NETLINK_MESSAGES
38	help
39	  This option makes it possible to send different netlink messages
40	  to tasks depending on whether the task is a compat task or not. To
41	  achieve this, you need to set skb_shinfo(skb)->frag_list to the
42	  compat skb before sending the skb, the netlink code will sort out
43	  which message to actually pass to the task.
44
45	  Newly written code should NEVER need this option but do
46	  compat-independent messages instead!
47
48config NET_INGRESS
49	bool
50
51config NET_EGRESS
52	bool
53
54menu "Networking options"
55
56source "net/packet/Kconfig"
57source "net/unix/Kconfig"
58source "net/xfrm/Kconfig"
59source "net/iucv/Kconfig"
60source "net/smc/Kconfig"
61
62config INET
63	bool "TCP/IP networking"
64	select CRYPTO
65	select CRYPTO_AES
66	---help---
67	  These are the protocols used on the Internet and on most local
68	  Ethernets. It is highly recommended to say Y here (this will enlarge
69	  your kernel by about 400 KB), since some programs (e.g. the X window
70	  system) use TCP/IP even if your machine is not connected to any
71	  other computer. You will get the so-called loopback device which
72	  allows you to ping yourself (great fun, that!).
73
74	  For an excellent introduction to Linux networking, please read the
75	  Linux Networking HOWTO, available from
76	  <http://www.tldp.org/docs.html#howto>.
77
78	  If you say Y here and also to "/proc file system support" and
79	  "Sysctl support" below, you can change various aspects of the
80	  behavior of the TCP/IP code by writing to the (virtual) files in
81	  /proc/sys/net/ipv4/*; the options are explained in the file
82	  <file:Documentation/networking/ip-sysctl.txt>.
83
84	  Short answer: say Y.
85
86if INET
87source "net/ipv4/Kconfig"
88source "net/ipv6/Kconfig"
89source "net/netlabel/Kconfig"
90
91endif # if INET
92
93config NETWORK_SECMARK
94	bool "Security Marking"
95	help
96	  This enables security marking of network packets, similar
97	  to nfmark, but designated for security purposes.
98	  If you are unsure how to answer this question, answer N.
99
100config NET_PTP_CLASSIFY
101	def_bool n
102
103config NETWORK_PHY_TIMESTAMPING
104	bool "Timestamping in PHY devices"
105	select NET_PTP_CLASSIFY
106	help
107	  This allows timestamping of network packets by PHYs with
108	  hardware timestamping capabilities. This option adds some
109	  overhead in the transmit and receive paths.
110
111	  If you are unsure how to answer this question, answer N.
112
113menuconfig NETFILTER
114	bool "Network packet filtering framework (Netfilter)"
115	---help---
116	  Netfilter is a framework for filtering and mangling network packets
117	  that pass through your Linux box.
118
119	  The most common use of packet filtering is to run your Linux box as
120	  a firewall protecting a local network from the Internet. The type of
121	  firewall provided by this kernel support is called a "packet
122	  filter", which means that it can reject individual network packets
123	  based on type, source, destination etc. The other kind of firewall,
124	  a "proxy-based" one, is more secure but more intrusive and more
125	  bothersome to set up; it inspects the network traffic much more
126	  closely, modifies it and has knowledge about the higher level
127	  protocols, which a packet filter lacks. Moreover, proxy-based
128	  firewalls often require changes to the programs running on the local
129	  clients. Proxy-based firewalls don't need support by the kernel, but
130	  they are often combined with a packet filter, which only works if
131	  you say Y here.
132
133	  You should also say Y here if you intend to use your Linux box as
134	  the gateway to the Internet for a local network of machines without
135	  globally valid IP addresses. This is called "masquerading": if one
136	  of the computers on your local network wants to send something to
137	  the outside, your box can "masquerade" as that computer, i.e. it
138	  forwards the traffic to the intended outside destination, but
139	  modifies the packets to make it look like they came from the
140	  firewall box itself. It works both ways: if the outside host
141	  replies, the Linux box will silently forward the traffic to the
142	  correct local computer. This way, the computers on your local net
143	  are completely invisible to the outside world, even though they can
144	  reach the outside and can receive replies. It is even possible to
145	  run globally visible servers from within a masqueraded local network
146	  using a mechanism called portforwarding. Masquerading is also often
147	  called NAT (Network Address Translation).
148
149	  Another use of Netfilter is in transparent proxying: if a machine on
150	  the local network tries to connect to an outside host, your Linux
151	  box can transparently forward the traffic to a local server,
152	  typically a caching proxy server.
153
154	  Yet another use of Netfilter is building a bridging firewall. Using
155	  a bridge with Network packet filtering enabled makes iptables "see"
156	  the bridged traffic. For filtering on the lower network and Ethernet
157	  protocols over the bridge, use ebtables (under bridge netfilter
158	  configuration).
159
160	  Various modules exist for netfilter which replace the previous
161	  masquerading (ipmasqadm), packet filtering (ipchains), transparent
162	  proxying, and portforwarding mechanisms. Please see
163	  <file:Documentation/Changes> under "iptables" for the location of
164	  these packages.
165
166if NETFILTER
167
168config NETFILTER_DEBUG
169	bool "Network packet filtering debugging"
170	depends on NETFILTER
171	help
172	  You can say Y here if you want to get additional messages useful in
173	  debugging the netfilter code.
174
175config NETFILTER_ADVANCED
176	bool "Advanced netfilter configuration"
177	depends on NETFILTER
178	default y
179	help
180	  If you say Y here you can select between all the netfilter modules.
181	  If you say N the more unusual ones will not be shown and the
182	  basic ones needed by most people will default to 'M'.
183
184	  If unsure, say Y.
185
186config BRIDGE_NETFILTER
187	tristate "Bridged IP/ARP packets filtering"
188	depends on BRIDGE
189	depends on NETFILTER && INET
190	depends on NETFILTER_ADVANCED
191	default m
192	---help---
193	  Enabling this option will let arptables resp. iptables see bridged
194	  ARP resp. IP traffic. If you want a bridging firewall, you probably
195	  want this option enabled.
196	  Enabling or disabling this option doesn't enable or disable
197	  ebtables.
198
199	  If unsure, say N.
200
201source "net/netfilter/Kconfig"
202source "net/ipv4/netfilter/Kconfig"
203source "net/ipv6/netfilter/Kconfig"
204source "net/decnet/netfilter/Kconfig"
205source "net/bridge/netfilter/Kconfig"
206
207endif
208
209source "net/dccp/Kconfig"
210source "net/sctp/Kconfig"
211source "net/rds/Kconfig"
212source "net/tipc/Kconfig"
213source "net/atm/Kconfig"
214source "net/l2tp/Kconfig"
215source "net/802/Kconfig"
216source "net/bridge/Kconfig"
217source "net/dsa/Kconfig"
218source "net/8021q/Kconfig"
219source "net/decnet/Kconfig"
220source "net/llc/Kconfig"
221source "net/ipx/Kconfig"
222source "drivers/net/appletalk/Kconfig"
223source "net/x25/Kconfig"
224source "net/lapb/Kconfig"
225source "net/phonet/Kconfig"
226source "net/6lowpan/Kconfig"
227source "net/ieee802154/Kconfig"
228source "net/mac802154/Kconfig"
229source "net/sched/Kconfig"
230source "net/dcb/Kconfig"
231source "net/dns_resolver/Kconfig"
232source "net/batman-adv/Kconfig"
233source "net/openvswitch/Kconfig"
234source "net/vmw_vsock/Kconfig"
235source "net/netlink/Kconfig"
236source "net/mpls/Kconfig"
237source "net/hsr/Kconfig"
238source "net/switchdev/Kconfig"
239source "net/l3mdev/Kconfig"
240source "net/qrtr/Kconfig"
241source "net/ncsi/Kconfig"
242
243config RPS
244	bool
245	depends on SMP && SYSFS
246	default y
247
248config RFS_ACCEL
249	bool
250	depends on RPS
251	select CPU_RMAP
252	default y
253
254config XPS
255	bool
256	depends on SMP
257	default y
258
259config HWBM
260       bool
261
262config CGROUP_NET_PRIO
263	bool "Network priority cgroup"
264	depends on CGROUPS
265	select SOCK_CGROUP_DATA
266	---help---
267	  Cgroup subsystem for use in assigning processes to network priorities on
268	  a per-interface basis.
269
270config CGROUP_NET_CLASSID
271	bool "Network classid cgroup"
272	depends on CGROUPS
273	select SOCK_CGROUP_DATA
274	---help---
275	  Cgroup subsystem for use as general purpose socket classid marker that is
276	  being used in cls_cgroup and for netfilter matching.
277
278config NET_RX_BUSY_POLL
279	bool
280	default y
281
282config BQL
283	bool
284	depends on SYSFS
285	select DQL
286	default y
287
288config BPF_JIT
289	bool "enable BPF Just In Time compiler"
290	depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
291	depends on MODULES
292	---help---
293	  Berkeley Packet Filter filtering capabilities are normally handled
294	  by an interpreter. This option allows kernel to generate a native
295	  code when filter is loaded in memory. This should speedup
296	  packet sniffing (libpcap/tcpdump).
297
298	  Note, admin should enable this feature changing:
299	  /proc/sys/net/core/bpf_jit_enable
300	  /proc/sys/net/core/bpf_jit_harden   (optional)
301	  /proc/sys/net/core/bpf_jit_kallsyms (optional)
302
303config NET_FLOW_LIMIT
304	bool
305	depends on RPS
306	default y
307	---help---
308	  The network stack has to drop packets when a receive processing CPU's
309	  backlog reaches netdev_max_backlog. If a few out of many active flows
310	  generate the vast majority of load, drop their traffic earlier to
311	  maintain capacity for the other flows. This feature provides servers
312	  with many clients some protection against DoS by a single (spoofed)
313	  flow that greatly exceeds average workload.
314
315menu "Network testing"
316
317config NET_PKTGEN
318	tristate "Packet Generator (USE WITH CAUTION)"
319	depends on INET && PROC_FS
320	---help---
321	  This module will inject preconfigured packets, at a configurable
322	  rate, out of a given interface.  It is used for network interface
323	  stress testing and performance analysis.  If you don't understand
324	  what was just said, you don't need it: say N.
325
326	  Documentation on how to use the packet generator can be found
327	  at <file:Documentation/networking/pktgen.txt>.
328
329	  To compile this code as a module, choose M here: the
330	  module will be called pktgen.
331
332config NET_TCPPROBE
333	tristate "TCP connection probing"
334	depends on INET && PROC_FS && KPROBES
335	---help---
336	This module allows for capturing the changes to TCP connection
337	state in response to incoming packets. It is used for debugging
338	TCP congestion avoidance modules. If you don't understand
339	what was just said, you don't need it: say N.
340
341	Documentation on how to use TCP connection probing can be found
342	at:
343
344	  http://www.linuxfoundation.org/collaborate/workgroups/networking/tcpprobe
345
346	To compile this code as a module, choose M here: the
347	module will be called tcp_probe.
348
349config NET_DROP_MONITOR
350	tristate "Network packet drop alerting service"
351	depends on INET && TRACEPOINTS
352	---help---
353	This feature provides an alerting service to userspace in the
354	event that packets are discarded in the network stack.  Alerts
355	are broadcast via netlink socket to any listening user space
356	process.  If you don't need network drop alerts, or if you are ok
357	just checking the various proc files and other utilities for
358	drop statistics, say N here.
359
360endmenu
361
362endmenu
363
364source "net/ax25/Kconfig"
365source "net/can/Kconfig"
366source "net/irda/Kconfig"
367source "net/bluetooth/Kconfig"
368source "net/rxrpc/Kconfig"
369source "net/kcm/Kconfig"
370source "net/strparser/Kconfig"
371
372config FIB_RULES
373	bool
374
375menuconfig WIRELESS
376	bool "Wireless"
377	depends on !S390
378	default y
379
380if WIRELESS
381
382source "net/wireless/Kconfig"
383source "net/mac80211/Kconfig"
384
385endif # WIRELESS
386
387source "net/wimax/Kconfig"
388
389source "net/rfkill/Kconfig"
390source "net/9p/Kconfig"
391source "net/caif/Kconfig"
392source "net/ceph/Kconfig"
393source "net/nfc/Kconfig"
394source "net/psample/Kconfig"
395source "net/ife/Kconfig"
396
397config LWTUNNEL
398	bool "Network light weight tunnels"
399	---help---
400	  This feature provides an infrastructure to support light weight
401	  tunnels like mpls. There is no netdevice associated with a light
402	  weight tunnel endpoint. Tunnel encapsulation parameters are stored
403	  with light weight tunnel state associated with fib routes.
404
405config LWTUNNEL_BPF
406	bool "Execute BPF program as route nexthop action"
407	depends on LWTUNNEL
408	default y if LWTUNNEL=y
409	---help---
410	  Allows to run BPF programs as a nexthop action following a route
411	  lookup for incoming and outgoing packets.
412
413config DST_CACHE
414	bool
415	default n
416
417config GRO_CELLS
418	bool
419	default n
420
421config NET_DEVLINK
422	tristate "Network physical/parent device Netlink interface"
423	help
424	  Network physical/parent device Netlink interface provides
425	  infrastructure to support access to physical chip-wide config and
426	  monitoring.
427
428config MAY_USE_DEVLINK
429	tristate
430	default m if NET_DEVLINK=m
431	default y if NET_DEVLINK=y || NET_DEVLINK=n
432	help
433	  Drivers using the devlink infrastructure should have a dependency
434	  on MAY_USE_DEVLINK to ensure they do not cause link errors when
435	  devlink is a loadable module and the driver using it is built-in.
436
437endif   # if NET
438
439# Used by archs to tell that they support BPF JIT compiler plus which flavour.
440# Only one of the two can be selected for a specific arch since eBPF JIT supersedes
441# the cBPF JIT.
442
443# Classic BPF JIT (cBPF)
444config HAVE_CBPF_JIT
445	bool
446
447# Extended BPF JIT (eBPF)
448config HAVE_EBPF_JIT
449	bool
450