1# 2# IP configuration 3# 4choice 5 prompt "Choose IP: FIB lookup"" 6 depends on INET 7 default IP_FIB_HASH 8 9config IP_FIB_HASH 10 bool "FIB_HASH" 11 ---help--- 12 Current FIB is very proven and good enough for most users. 13 14config IP_FIB_TRIE 15 bool "FIB_TRIE" 16 ---help--- 17 Use new experimental LC-trie as FIB lookup algoritm. 18 This improves lookup performance 19 20 LC-trie is described in: 21 22 IP-address lookup using LC-tries. Stefan Nilsson and Gunnar Karlsson 23 IEEE Journal on Selected Areas in Communications, 17(6):1083-1092, June 1999 24 An experimental study of compression methods for dynamic tries 25 Stefan Nilsson and Matti Tikkanen. Algorithmica, 33(1):19-33, 2002. 26 http://www.nada.kth.se/~snilsson/public/papers/dyntrie2/ 27 28endchoice 29 30config IP_MULTICAST 31 bool "IP: multicasting" 32 depends on INET 33 help 34 This is code for addressing several networked computers at once, 35 enlarging your kernel by about 2 KB. You need multicasting if you 36 intend to participate in the MBONE, a high bandwidth network on top 37 of the Internet which carries audio and video broadcasts. More 38 information about the MBONE is on the WWW at 39 <http://www-itg.lbl.gov/mbone/>. Information about the multicast 40 capabilities of the various network cards is contained in 41 <file:Documentation/networking/multicast.txt>. For most people, it's 42 safe to say N. 43 44config IP_ADVANCED_ROUTER 45 bool "IP: advanced router" 46 depends on INET 47 ---help--- 48 If you intend to run your Linux box mostly as a router, i.e. as a 49 computer that forwards and redistributes network packets, say Y; you 50 will then be presented with several options that allow more precise 51 control about the routing process. 52 53 The answer to this question won't directly affect the kernel: 54 answering N will just cause the configurator to skip all the 55 questions about advanced routing. 56 57 Note that your box can only act as a router if you enable IP 58 forwarding in your kernel; you can do that by saying Y to "/proc 59 file system support" and "Sysctl support" below and executing the 60 line 61 62 echo "1" > /proc/sys/net/ipv4/ip_forward 63 64 at boot time after the /proc file system has been mounted. 65 66 If you turn on IP forwarding, you will also get the rp_filter, which 67 automatically rejects incoming packets if the routing table entry 68 for their source address doesn't match the network interface they're 69 arriving on. This has security advantages because it prevents the 70 so-called IP spoofing, however it can pose problems if you use 71 asymmetric routing (packets from you to a host take a different path 72 than packets from that host to you) or if you operate a non-routing 73 host which has several IP addresses on different interfaces. To turn 74 rp_filter off use: 75 76 echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter 77 or 78 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 79 80 If unsure, say N here. 81 82config IP_MULTIPLE_TABLES 83 bool "IP: policy routing" 84 depends on IP_ADVANCED_ROUTER 85 ---help--- 86 Normally, a router decides what to do with a received packet based 87 solely on the packet's final destination address. If you say Y here, 88 the Linux router will also be able to take the packet's source 89 address into account. Furthermore, the TOS (Type-Of-Service) field 90 of the packet can be used for routing decisions as well. 91 92 If you are interested in this, please see the preliminary 93 documentation at <http://www.compendium.com.ar/policy-routing.txt> 94 and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>. 95 You will need supporting software from 96 <ftp://ftp.tux.org/pub/net/ip-routing/>. 97 98 If unsure, say N. 99 100config IP_ROUTE_FWMARK 101 bool "IP: use netfilter MARK value as routing key" 102 depends on IP_MULTIPLE_TABLES && NETFILTER 103 help 104 If you say Y here, you will be able to specify different routes for 105 packets with different mark values (see iptables(8), MARK target). 106 107config IP_ROUTE_MULTIPATH 108 bool "IP: equal cost multipath" 109 depends on IP_ADVANCED_ROUTER 110 help 111 Normally, the routing tables specify a single action to be taken in 112 a deterministic manner for a given packet. If you say Y here 113 however, it becomes possible to attach several actions to a packet 114 pattern, in effect specifying several alternative paths to travel 115 for those packets. The router considers all these paths to be of 116 equal "cost" and chooses one of them in a non-deterministic fashion 117 if a matching packet arrives. 118 119config IP_ROUTE_MULTIPATH_CACHED 120 bool "IP: equal cost multipath with caching support (EXPERIMENTAL)" 121 depends on: IP_ROUTE_MULTIPATH 122 help 123 Normally, equal cost multipath routing is not supported by the 124 routing cache. If you say Y here, alternative routes are cached 125 and on cache lookup a route is chosen in a configurable fashion. 126 127 If unsure, say N. 128 129config IP_ROUTE_MULTIPATH_RR 130 tristate "MULTIPATH: round robin algorithm" 131 depends on IP_ROUTE_MULTIPATH_CACHED 132 help 133 Mulitpath routes are chosen according to Round Robin 134 135config IP_ROUTE_MULTIPATH_RANDOM 136 tristate "MULTIPATH: random algorithm" 137 depends on IP_ROUTE_MULTIPATH_CACHED 138 help 139 Multipath routes are chosen in a random fashion. Actually, 140 there is no weight for a route. The advantage of this policy 141 is that it is implemented stateless and therefore introduces only 142 a very small delay. 143 144config IP_ROUTE_MULTIPATH_WRANDOM 145 tristate "MULTIPATH: weighted random algorithm" 146 depends on IP_ROUTE_MULTIPATH_CACHED 147 help 148 Multipath routes are chosen in a weighted random fashion. 149 The per route weights are the weights visible via ip route 2. As the 150 corresponding state management introduces some overhead routing delay 151 is increased. 152 153config IP_ROUTE_MULTIPATH_DRR 154 tristate "MULTIPATH: interface round robin algorithm" 155 depends on IP_ROUTE_MULTIPATH_CACHED 156 help 157 Connections are distributed in a round robin fashion over the 158 available interfaces. This policy makes sense if the connections 159 should be primarily distributed on interfaces and not on routes. 160 161config IP_ROUTE_VERBOSE 162 bool "IP: verbose route monitoring" 163 depends on IP_ADVANCED_ROUTER 164 help 165 If you say Y here, which is recommended, then the kernel will print 166 verbose messages regarding the routing, for example warnings about 167 received packets which look strange and could be evidence of an 168 attack or a misconfigured system somewhere. The information is 169 handled by the klogd daemon which is responsible for kernel messages 170 ("man klogd"). 171 172config IP_PNP 173 bool "IP: kernel level autoconfiguration" 174 depends on INET 175 help 176 This enables automatic configuration of IP addresses of devices and 177 of the routing table during kernel boot, based on either information 178 supplied on the kernel command line or by BOOTP or RARP protocols. 179 You need to say Y only for diskless machines requiring network 180 access to boot (in which case you want to say Y to "Root file system 181 on NFS" as well), because all other machines configure the network 182 in their startup scripts. 183 184config IP_PNP_DHCP 185 bool "IP: DHCP support" 186 depends on IP_PNP 187 ---help--- 188 If you want your Linux box to mount its whole root file system (the 189 one containing the directory /) from some other computer over the 190 net via NFS and you want the IP address of your computer to be 191 discovered automatically at boot time using the DHCP protocol (a 192 special protocol designed for doing this job), say Y here. In case 193 the boot ROM of your network card was designed for booting Linux and 194 does DHCP itself, providing all necessary information on the kernel 195 command line, you can say N here. 196 197 If unsure, say Y. Note that if you want to use DHCP, a DHCP server 198 must be operating on your network. Read 199 <file:Documentation/nfsroot.txt> for details. 200 201config IP_PNP_BOOTP 202 bool "IP: BOOTP support" 203 depends on IP_PNP 204 ---help--- 205 If you want your Linux box to mount its whole root file system (the 206 one containing the directory /) from some other computer over the 207 net via NFS and you want the IP address of your computer to be 208 discovered automatically at boot time using the BOOTP protocol (a 209 special protocol designed for doing this job), say Y here. In case 210 the boot ROM of your network card was designed for booting Linux and 211 does BOOTP itself, providing all necessary information on the kernel 212 command line, you can say N here. If unsure, say Y. Note that if you 213 want to use BOOTP, a BOOTP server must be operating on your network. 214 Read <file:Documentation/nfsroot.txt> for details. 215 216config IP_PNP_RARP 217 bool "IP: RARP support" 218 depends on IP_PNP 219 help 220 If you want your Linux box to mount its whole root file system (the 221 one containing the directory /) from some other computer over the 222 net via NFS and you want the IP address of your computer to be 223 discovered automatically at boot time using the RARP protocol (an 224 older protocol which is being obsoleted by BOOTP and DHCP), say Y 225 here. Note that if you want to use RARP, a RARP server must be 226 operating on your network. Read <file:Documentation/nfsroot.txt> for 227 details. 228 229# not yet ready.. 230# bool ' IP: ARP support' CONFIG_IP_PNP_ARP 231config NET_IPIP 232 tristate "IP: tunneling" 233 depends on INET 234 select INET_TUNNEL 235 ---help--- 236 Tunneling means encapsulating data of one protocol type within 237 another protocol and sending it over a channel that understands the 238 encapsulating protocol. This particular tunneling driver implements 239 encapsulation of IP within IP, which sounds kind of pointless, but 240 can be useful if you want to make your (or some other) machine 241 appear on a different network than it physically is, or to use 242 mobile-IP facilities (allowing laptops to seamlessly move between 243 networks without changing their IP addresses). 244 245 Saying Y to this option will produce two modules ( = code which can 246 be inserted in and removed from the running kernel whenever you 247 want). Most people won't need this and can say N. 248 249config NET_IPGRE 250 tristate "IP: GRE tunnels over IP" 251 depends on INET 252 select XFRM 253 help 254 Tunneling means encapsulating data of one protocol type within 255 another protocol and sending it over a channel that understands the 256 encapsulating protocol. This particular tunneling driver implements 257 GRE (Generic Routing Encapsulation) and at this time allows 258 encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure. 259 This driver is useful if the other endpoint is a Cisco router: Cisco 260 likes GRE much better than the other Linux tunneling driver ("IP 261 tunneling" above). In addition, GRE allows multicast redistribution 262 through the tunnel. 263 264config NET_IPGRE_BROADCAST 265 bool "IP: broadcast GRE over IP" 266 depends on IP_MULTICAST && NET_IPGRE 267 help 268 One application of GRE/IP is to construct a broadcast WAN (Wide Area 269 Network), which looks like a normal Ethernet LAN (Local Area 270 Network), but can be distributed all over the Internet. If you want 271 to do that, say Y here and to "IP multicast routing" below. 272 273config IP_MROUTE 274 bool "IP: multicast routing" 275 depends on IP_MULTICAST 276 help 277 This is used if you want your machine to act as a router for IP 278 packets that have several destination addresses. It is needed on the 279 MBONE, a high bandwidth network on top of the Internet which carries 280 audio and video broadcasts. In order to do that, you would most 281 likely run the program mrouted. Information about the multicast 282 capabilities of the various network cards is contained in 283 <file:Documentation/networking/multicast.txt>. If you haven't heard 284 about it, you don't need it. 285 286config IP_PIMSM_V1 287 bool "IP: PIM-SM version 1 support" 288 depends on IP_MROUTE 289 help 290 Kernel side support for Sparse Mode PIM (Protocol Independent 291 Multicast) version 1. This multicast routing protocol is used widely 292 because Cisco supports it. You need special software to use it 293 (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more 294 information about PIM. 295 296 Say Y if you want to use PIM-SM v1. Note that you can say N here if 297 you just want to use Dense Mode PIM. 298 299config IP_PIMSM_V2 300 bool "IP: PIM-SM version 2 support" 301 depends on IP_MROUTE 302 help 303 Kernel side support for Sparse Mode PIM version 2. In order to use 304 this, you need an experimental routing daemon supporting it (pimd or 305 gated-5). This routing protocol is not used widely, so say N unless 306 you want to play with it. 307 308config ARPD 309 bool "IP: ARP daemon support (EXPERIMENTAL)" 310 depends on INET && EXPERIMENTAL 311 ---help--- 312 Normally, the kernel maintains an internal cache which maps IP 313 addresses to hardware addresses on the local network, so that 314 Ethernet/Token Ring/ etc. frames are sent to the proper address on 315 the physical networking layer. For small networks having a few 316 hundred directly connected hosts or less, keeping this address 317 resolution (ARP) cache inside the kernel works well. However, 318 maintaining an internal ARP cache does not work well for very large 319 switched networks, and will use a lot of kernel memory if TCP/IP 320 connections are made to many machines on the network. 321 322 If you say Y here, the kernel's internal ARP cache will never grow 323 to more than 256 entries (the oldest entries are expired in a LIFO 324 manner) and communication will be attempted with the user space ARP 325 daemon arpd. Arpd then answers the address resolution request either 326 from its own cache or by asking the net. 327 328 This code is experimental and also obsolete. If you want to use it, 329 you need to find a version of the daemon arpd on the net somewhere, 330 and you should also say Y to "Kernel/User network link driver", 331 below. If unsure, say N. 332 333config SYN_COOKIES 334 bool "IP: TCP syncookie support (disabled per default)" 335 depends on INET 336 ---help--- 337 Normal TCP/IP networking is open to an attack known as "SYN 338 flooding". This denial-of-service attack prevents legitimate remote 339 users from being able to connect to your computer during an ongoing 340 attack and requires very little work from the attacker, who can 341 operate from anywhere on the Internet. 342 343 SYN cookies provide protection against this type of attack. If you 344 say Y here, the TCP/IP stack will use a cryptographic challenge 345 protocol known as "SYN cookies" to enable legitimate users to 346 continue to connect, even when your machine is under attack. There 347 is no need for the legitimate users to change their TCP/IP software; 348 SYN cookies work transparently to them. For technical information 349 about SYN cookies, check out <http://cr.yp.to/syncookies.html>. 350 351 If you are SYN flooded, the source address reported by the kernel is 352 likely to have been forged by the attacker; it is only reported as 353 an aid in tracing the packets to their actual source and should not 354 be taken as absolute truth. 355 356 SYN cookies may prevent correct error reporting on clients when the 357 server is really overloaded. If this happens frequently better turn 358 them off. 359 360 If you say Y here, note that SYN cookies aren't enabled by default; 361 you can enable them by saying Y to "/proc file system support" and 362 "Sysctl support" below and executing the command 363 364 echo 1 >/proc/sys/net/ipv4/tcp_syncookies 365 366 at boot time after the /proc file system has been mounted. 367 368 If unsure, say N. 369 370config INET_AH 371 tristate "IP: AH transformation" 372 depends on INET 373 select XFRM 374 select CRYPTO 375 select CRYPTO_HMAC 376 select CRYPTO_MD5 377 select CRYPTO_SHA1 378 ---help--- 379 Support for IPsec AH. 380 381 If unsure, say Y. 382 383config INET_ESP 384 tristate "IP: ESP transformation" 385 depends on INET 386 select XFRM 387 select CRYPTO 388 select CRYPTO_HMAC 389 select CRYPTO_MD5 390 select CRYPTO_SHA1 391 select CRYPTO_DES 392 ---help--- 393 Support for IPsec ESP. 394 395 If unsure, say Y. 396 397config INET_IPCOMP 398 tristate "IP: IPComp transformation" 399 depends on INET 400 select XFRM 401 select INET_TUNNEL 402 select CRYPTO 403 select CRYPTO_DEFLATE 404 ---help--- 405 Support for IP Payload Compression Protocol (IPComp) (RFC3173), 406 typically needed for IPsec. 407 408 If unsure, say Y. 409 410config INET_TUNNEL 411 tristate "IP: tunnel transformation" 412 depends on INET 413 select XFRM 414 ---help--- 415 Support for generic IP tunnel transformation, which is required by 416 the IP tunneling module as well as tunnel mode IPComp. 417 418 If unsure, say Y. 419 420config IP_TCPDIAG 421 tristate "IP: TCP socket monitoring interface" 422 depends on INET 423 default y 424 ---help--- 425 Support for TCP socket monitoring interface used by native Linux 426 tools such as ss. ss is included in iproute2, currently downloadable 427 at <http://developer.osdl.org/dev/iproute2>. If you want IPv6 support 428 and have selected IPv6 as a module, you need to build this as a 429 module too. 430 431 If unsure, say Y. 432 433config IP_TCPDIAG_IPV6 434 def_bool (IP_TCPDIAG=y && IPV6=y) || (IP_TCPDIAG=m && IPV6) 435 436source "net/ipv4/ipvs/Kconfig" 437 438