| blob | be334d427b7027e40757a5492dc7819b37c49c05 |
1 #
2 # IP configuration
3 #
4 config IP_MULTICAST
5 bool "IP: multicasting"
6 depends on INET
7 help
8 This is code for addressing several networked computers at once,
9 enlarging your kernel by about 2 KB. You need multicasting if you
10 intend to participate in the MBONE, a high bandwidth network on top
11 of the Internet which carries audio and video broadcasts. More
12 information about the MBONE is on the WWW at
13 <http://www-itg.lbl.gov/mbone/>. Information about the multicast
14 capabilities of the various network cards is contained in
15 <file:Documentation/networking/multicast.txt>. For most people, it's
16 safe to say N.
18 config IP_ADVANCED_ROUTER
19 bool "IP: advanced router"
20 depends on INET
21 ---help---
22 If you intend to run your Linux box mostly as a router, i.e. as a
23 computer that forwards and redistributes network packets, say Y; you
24 will then be presented with several options that allow more precise
25 control about the routing process.
27 The answer to this question won't directly affect the kernel:
28 answering N will just cause the configurator to skip all the
29 questions about advanced routing.
31 Note that your box can only act as a router if you enable IP
32 forwarding in your kernel; you can do that by saying Y to "/proc
33 file system support" and "Sysctl support" below and executing the
34 line
36 echo "1" > /proc/sys/net/ipv4/ip_forward
38 at boot time after the /proc file system has been mounted.
40 If you turn on IP forwarding, you will also get the rp_filter, which
41 automatically rejects incoming packets if the routing table entry
42 for their source address doesn't match the network interface they're
43 arriving on. This has security advantages because it prevents the
44 so-called IP spoofing, however it can pose problems if you use
45 asymmetric routing (packets from you to a host take a different path
46 than packets from that host to you) or if you operate a non-routing
47 host which has several IP addresses on different interfaces. To turn
48 rp_filter off use:
50 echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
51 or
52 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
54 If unsure, say N here.
56 config IP_MULTIPLE_TABLES
57 bool "IP: policy routing"
58 depends on IP_ADVANCED_ROUTER
59 ---help---
60 Normally, a router decides what to do with a received packet based
61 solely on the packet's final destination address. If you say Y here,
62 the Linux router will also be able to take the packet's source
63 address into account. Furthermore, if you also say Y to "Use TOS
64 value as routing key" below, the TOS (Type-Of-Service) field of the
65 packet can be used for routing decisions as well. In addition, if
66 you say Y here and to "Fast network address translation" below,
67 the router will also be able to modify source and destination
68 addresses of forwarded packets.
70 If you are interested in this, please see the preliminary
71 documentation at <http://www.compendium.com.ar/policy-routing.txt>
72 and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>.
73 You will need supporting software from
74 <ftp://ftp.inr.ac.ru/ip-routing/>.
76 If unsure, say N.
78 config IP_ROUTE_FWMARK
79 bool "IP: use netfilter MARK value as routing key"
80 depends on IP_MULTIPLE_TABLES && NETFILTER
81 help
82 If you say Y here, you will be able to specify different routes for
83 packets with different mark values (see iptables(8), MARK target).
85 config IP_ROUTE_NAT
86 bool "IP: fast network address translation"
87 depends on IP_MULTIPLE_TABLES
88 help
89 If you say Y here, your router will be able to modify source and
90 destination addresses of packets that pass through it, in a manner
91 you specify. General information about Network Address Translation
92 can be gotten from the document
93 <http://www.csn.tu-chemnitz.de/~mha/linux-ip-nat/diplom/nat.html>.
95 config IP_ROUTE_MULTIPATH
96 bool "IP: equal cost multipath"
97 depends on IP_ADVANCED_ROUTER
98 help
99 Normally, the routing tables specify a single action to be taken in
100 a deterministic manner for a given packet. If you say Y here
101 however, it becomes possible to attach several actions to a packet
102 pattern, in effect specifying several alternative paths to travel
103 for those packets. The router considers all these paths to be of
104 equal "cost" and chooses one of them in a non-deterministic fashion
105 if a matching packet arrives.
107 config IP_ROUTE_TOS
108 bool "IP: use TOS value as routing key"
109 depends on IP_ADVANCED_ROUTER
110 help
111 The header of every IP packet carries a TOS (Type Of Service) value
112 with which the packet requests a certain treatment, e.g. low
113 latency (for interactive traffic), high throughput, or high
114 reliability. If you say Y here, you will be able to specify
115 different routes for packets with different TOS values.
117 config IP_ROUTE_VERBOSE
118 bool "IP: verbose route monitoring"
119 depends on IP_ADVANCED_ROUTER
120 help
121 If you say Y here, which is recommended, then the kernel will print
122 verbose messages regarding the routing, for example warnings about
123 received packets which look strange and could be evidence of an
124 attack or a misconfigured system somewhere. The information is
125 handled by the klogd daemon which is responsible for kernel messages
126 ("man klogd").
128 config IP_PNP
129 bool "IP: kernel level autoconfiguration"
130 depends on INET
131 help
132 This enables automatic configuration of IP addresses of devices and
133 of the routing table during kernel boot, based on either information
134 supplied on the kernel command line or by BOOTP or RARP protocols.
135 You need to say Y only for diskless machines requiring network
136 access to boot (in which case you want to say Y to "Root file system
137 on NFS" as well), because all other machines configure the network
138 in their startup scripts.
140 config IP_PNP_DHCP
141 bool "IP: DHCP support"
142 depends on IP_PNP
143 ---help---
144 If you want your Linux box to mount its whole root file system (the
145 one containing the directory /) from some other computer over the
146 net via NFS and you want the IP address of your computer to be
147 discovered automatically at boot time using the DHCP protocol (a
148 special protocol designed for doing this job), say Y here. In case
149 the boot ROM of your network card was designed for booting Linux and
150 does DHCP itself, providing all necessary information on the kernel
151 command line, you can say N here.
153 If unsure, say Y. Note that if you want to use DHCP, a DHCP server
154 must be operating on your network. Read
155 <file:Documentation/nfsroot.txt> for details.
157 config IP_PNP_BOOTP
158 bool "IP: BOOTP support"
159 depends on IP_PNP
160 ---help---
161 If you want your Linux box to mount its whole root file system (the
162 one containing the directory /) from some other computer over the
163 net via NFS and you want the IP address of your computer to be
164 discovered automatically at boot time using the BOOTP protocol (a
165 special protocol designed for doing this job), say Y here. In case
166 the boot ROM of your network card was designed for booting Linux and
167 does BOOTP itself, providing all necessary information on the kernel
168 command line, you can say N here. If unsure, say Y. Note that if you
169 want to use BOOTP, a BOOTP server must be operating on your network.
170 Read <file:Documentation/nfsroot.txt> for details.
172 config IP_PNP_RARP
173 bool "IP: RARP support"
174 depends on IP_PNP
175 help
176 If you want your Linux box to mount its whole root file system (the
177 one containing the directory /) from some other computer over the
178 net via NFS and you want the IP address of your computer to be
179 discovered automatically at boot time using the RARP protocol (an
180 older protocol which is being obsoleted by BOOTP and DHCP), say Y
181 here. Note that if you want to use RARP, a RARP server must be
182 operating on your network. Read <file:Documentation/nfsroot.txt> for
183 details.
185 # not yet ready..
186 # bool ' IP: ARP support' CONFIG_IP_PNP_ARP
187 config NET_IPIP
188 tristate "IP: tunneling"
189 depends on INET
190 ---help---
191 Tunneling means encapsulating data of one protocol type within
192 another protocol and sending it over a channel that understands the
193 encapsulating protocol. This particular tunneling driver implements
194 encapsulation of IP within IP, which sounds kind of pointless, but
195 can be useful if you want to make your (or some other) machine
196 appear on a different network than it physically is, or to use
197 mobile-IP facilities (allowing laptops to seamlessly move between
198 networks without changing their IP addresses; check out
199 <http://anchor.cs.binghamton.edu/~mobileip/LJ/index.html>).
201 Saying Y to this option will produce two modules ( = code which can
202 be inserted in and removed from the running kernel whenever you
203 want). Most people won't need this and can say N.
205 config NET_IPGRE
206 tristate "IP: GRE tunnels over IP"
207 depends on INET
208 help
209 Tunneling means encapsulating data of one protocol type within
210 another protocol and sending it over a channel that understands the
211 encapsulating protocol. This particular tunneling driver implements
212 GRE (Generic Routing Encapsulation) and at this time allows
213 encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure.
214 This driver is useful if the other endpoint is a Cisco router: Cisco
215 likes GRE much better than the other Linux tunneling driver ("IP
216 tunneling" above). In addition, GRE allows multicast redistribution
217 through the tunnel.
219 config NET_IPGRE_BROADCAST
220 bool "IP: broadcast GRE over IP"
221 depends on IP_MULTICAST && NET_IPGRE
222 help
223 One application of GRE/IP is to construct a broadcast WAN (Wide Area
224 Network), which looks like a normal Ethernet LAN (Local Area
225 Network), but can be distributed all over the Internet. If you want
226 to do that, say Y here and to "IP multicast routing" below.
228 config IP_MROUTE
229 bool "IP: multicast routing"
230 depends on IP_MULTICAST
231 help
232 This is used if you want your machine to act as a router for IP
233 packets that have several destination addresses. It is needed on the
234 MBONE, a high bandwidth network on top of the Internet which carries
235 audio and video broadcasts. In order to do that, you would most
236 likely run the program mrouted. Information about the multicast
237 capabilities of the various network cards is contained in
238 <file:Documentation/networking/multicast.txt>. If you haven't heard
239 about it, you don't need it.
241 config IP_PIMSM_V1
242 bool "IP: PIM-SM version 1 support"
243 depends on IP_MROUTE
244 help
245 Kernel side support for Sparse Mode PIM (Protocol Independent
246 Multicast) version 1. This multicast routing protocol is used widely
247 because Cisco supports it. You need special software to use it
248 (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more
249 information about PIM.
251 Say Y if you want to use PIM-SM v1. Note that you can say N here if
252 you just want to use Dense Mode PIM.
254 config IP_PIMSM_V2
255 bool "IP: PIM-SM version 2 support"
256 depends on IP_MROUTE
257 help
258 Kernel side support for Sparse Mode PIM version 2. In order to use
259 this, you need an experimental routing daemon supporting it (pimd or
260 gated-5). This routing protocol is not used widely, so say N unless
261 you want to play with it.
263 config ARPD
264 bool "IP: ARP daemon support (EXPERIMENTAL)"
265 depends on INET && EXPERIMENTAL
266 ---help---
267 Normally, the kernel maintains an internal cache which maps IP
268 addresses to hardware addresses on the local network, so that
269 Ethernet/Token Ring/ etc. frames are sent to the proper address on
270 the physical networking layer. For small networks having a few
271 hundred directly connected hosts or less, keeping this address
272 resolution (ARP) cache inside the kernel works well. However,
273 maintaining an internal ARP cache does not work well for very large
274 switched networks, and will use a lot of kernel memory if TCP/IP
275 connections are made to many machines on the network.
277 If you say Y here, the kernel's internal ARP cache will never grow
278 to more than 256 entries (the oldest entries are expired in a LIFO
279 manner) and communication will be attempted with the user space ARP
280 daemon arpd. Arpd then answers the address resolution request either
281 from its own cache or by asking the net.
283 This code is experimental and also obsolete. If you want to use it,
284 you need to find a version of the daemon arpd on the net somewhere,
285 and you should also say Y to "Kernel/User network link driver",
286 below. If unsure, say N.
288 config INET_ECN
289 bool "IP: TCP Explicit Congestion Notification support"
290 depends on INET
291 ---help---
292 Explicit Congestion Notification (ECN) allows routers to notify
293 clients about network congestion, resulting in fewer dropped packets
294 and increased network performance. This option adds ECN support to
295 the Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn)
296 which allows ECN support to be disabled at runtime.
298 Note that, on the Internet, there are many broken firewalls which
299 refuse connections from ECN-enabled machines, and it may be a while
300 before these firewalls are fixed. Until then, to access a site
301 behind such a firewall (some of which are major sites, at the time
302 of this writing) you will have to disable this option, either by
303 saying N now or by using the sysctl.
305 If in doubt, say N.
307 config SYN_COOKIES
308 bool "IP: TCP syncookie support (disabled per default)"
309 depends on INET
310 ---help---
311 Normal TCP/IP networking is open to an attack known as "SYN
312 flooding". This denial-of-service attack prevents legitimate remote
313 users from being able to connect to your computer during an ongoing
314 attack and requires very little work from the attacker, who can
315 operate from anywhere on the Internet.
317 SYN cookies provide protection against this type of attack. If you
318 say Y here, the TCP/IP stack will use a cryptographic challenge
319 protocol known as "SYN cookies" to enable legitimate users to
320 continue to connect, even when your machine is under attack. There
321 is no need for the legitimate users to change their TCP/IP software;
322 SYN cookies work transparently to them. For technical information
323 about SYN cookies, check out <http://cr.yp.to/syncookies.html>.
325 If you are SYN flooded, the source address reported by the kernel is
326 likely to have been forged by the attacker; it is only reported as
327 an aid in tracing the packets to their actual source and should not
328 be taken as absolute truth.
330 SYN cookies may prevent correct error reporting on clients when the
331 server is really overloaded. If this happens frequently better turn
332 them off.
334 If you say Y here, note that SYN cookies aren't enabled by default;
335 you can enable them by saying Y to "/proc file system support" and
336 "Sysctl support" below and executing the command
338 echo 1 >/proc/sys/net/ipv4/tcp_syncookies
340 at boot time after the /proc file system has been mounted.
342 If unsure, say N.
344 config INET_AH
345 tristate "IP: AH transformation"
346 select CRYPTO
347 select CRYPTO_HMAC
348 select CRYPTO_MD5
349 select CRYPTO_SHA1
350 ---help---
351 Support for IPsec AH.
353 If unsure, say Y.
355 config INET_ESP
356 tristate "IP: ESP transformation"
357 select CRYPTO
358 select CRYPTO_HMAC
359 select CRYPTO_MD5
360 select CRYPTO_SHA1
361 select CRYPTO_DES
362 ---help---
363 Support for IPsec ESP.
365 If unsure, say Y.
367 config INET_IPCOMP
368 tristate "IP: IPComp transformation"
369 select CRYPTO
370 select CRYPTO_DEFLATE
371 ---help---
372 Support for IP Paylod Compression (RFC3173), typically needed
373 for IPsec.
375 If unsure, say Y.
377 source "net/ipv4/netfilter/Kconfig"
378 source "net/ipv4/ipvs/Kconfig"