1# 2# Network configuration 3# 4 5menuconfig NET 6 bool "Networking support" 7 select NLATTR 8 select GENERIC_NET_UTILS 9 select BPF 10 ---help--- 11 Unless you really know what you are doing, you should say Y here. 12 The reason is that some programs need kernel networking support even 13 when running on a stand-alone machine that isn't connected to any 14 other computer. 15 16 If you are upgrading from an older kernel, you 17 should consider updating your networking tools too because changes 18 in the kernel and the tools often go hand in hand. The tools are 19 contained in the package net-tools, the location and version number 20 of which are given in <file:Documentation/Changes>. 21 22 For a general introduction to Linux networking, it is highly 23 recommended to read the NET-HOWTO, available from 24 <http://www.tldp.org/docs.html#howto>. 25 26if NET 27 28config WANT_COMPAT_NETLINK_MESSAGES 29 bool 30 help 31 This option can be selected by other options that need compat 32 netlink messages. 33 34config COMPAT_NETLINK_MESSAGES 35 def_bool y 36 depends on COMPAT 37 depends on WEXT_CORE || WANT_COMPAT_NETLINK_MESSAGES 38 help 39 This option makes it possible to send different netlink messages 40 to tasks depending on whether the task is a compat task or not. To 41 achieve this, you need to set skb_shinfo(skb)->frag_list to the 42 compat skb before sending the skb, the netlink code will sort out 43 which message to actually pass to the task. 44 45 Newly written code should NEVER need this option but do 46 compat-independent messages instead! 47 48config NET_INGRESS 49 bool 50 51menu "Networking options" 52 53source "net/packet/Kconfig" 54source "net/unix/Kconfig" 55source "net/xfrm/Kconfig" 56source "net/iucv/Kconfig" 57 58config INET 59 bool "TCP/IP networking" 60 select CRYPTO 61 select CRYPTO_AES 62 ---help--- 63 These are the protocols used on the Internet and on most local 64 Ethernets. It is highly recommended to say Y here (this will enlarge 65 your kernel by about 400 KB), since some programs (e.g. the X window 66 system) use TCP/IP even if your machine is not connected to any 67 other computer. You will get the so-called loopback device which 68 allows you to ping yourself (great fun, that!). 69 70 For an excellent introduction to Linux networking, please read the 71 Linux Networking HOWTO, available from 72 <http://www.tldp.org/docs.html#howto>. 73 74 If you say Y here and also to "/proc file system support" and 75 "Sysctl support" below, you can change various aspects of the 76 behavior of the TCP/IP code by writing to the (virtual) files in 77 /proc/sys/net/ipv4/*; the options are explained in the file 78 <file:Documentation/networking/ip-sysctl.txt>. 79 80 Short answer: say Y. 81 82if INET 83source "net/ipv4/Kconfig" 84source "net/ipv6/Kconfig" 85source "net/netlabel/Kconfig" 86 87endif # if INET 88 89config ANDROID_PARANOID_NETWORK 90 bool "Only allow certain groups to create sockets" 91 default y 92 help 93 none 94 95config NETWORK_SECMARK 96 bool "Security Marking" 97 help 98 This enables security marking of network packets, similar 99 to nfmark, but designated for security purposes. 100 If you are unsure how to answer this question, answer N. 101 102config NET_PTP_CLASSIFY 103 def_bool n 104 105config NETWORK_PHY_TIMESTAMPING 106 bool "Timestamping in PHY devices" 107 select NET_PTP_CLASSIFY 108 help 109 This allows timestamping of network packets by PHYs with 110 hardware timestamping capabilities. This option adds some 111 overhead in the transmit and receive paths. 112 113 If you are unsure how to answer this question, answer N. 114 115menuconfig NETFILTER 116 bool "Network packet filtering framework (Netfilter)" 117 ---help--- 118 Netfilter is a framework for filtering and mangling network packets 119 that pass through your Linux box. 120 121 The most common use of packet filtering is to run your Linux box as 122 a firewall protecting a local network from the Internet. The type of 123 firewall provided by this kernel support is called a "packet 124 filter", which means that it can reject individual network packets 125 based on type, source, destination etc. The other kind of firewall, 126 a "proxy-based" one, is more secure but more intrusive and more 127 bothersome to set up; it inspects the network traffic much more 128 closely, modifies it and has knowledge about the higher level 129 protocols, which a packet filter lacks. Moreover, proxy-based 130 firewalls often require changes to the programs running on the local 131 clients. Proxy-based firewalls don't need support by the kernel, but 132 they are often combined with a packet filter, which only works if 133 you say Y here. 134 135 You should also say Y here if you intend to use your Linux box as 136 the gateway to the Internet for a local network of machines without 137 globally valid IP addresses. This is called "masquerading": if one 138 of the computers on your local network wants to send something to 139 the outside, your box can "masquerade" as that computer, i.e. it 140 forwards the traffic to the intended outside destination, but 141 modifies the packets to make it look like they came from the 142 firewall box itself. It works both ways: if the outside host 143 replies, the Linux box will silently forward the traffic to the 144 correct local computer. This way, the computers on your local net 145 are completely invisible to the outside world, even though they can 146 reach the outside and can receive replies. It is even possible to 147 run globally visible servers from within a masqueraded local network 148 using a mechanism called portforwarding. Masquerading is also often 149 called NAT (Network Address Translation). 150 151 Another use of Netfilter is in transparent proxying: if a machine on 152 the local network tries to connect to an outside host, your Linux 153 box can transparently forward the traffic to a local server, 154 typically a caching proxy server. 155 156 Yet another use of Netfilter is building a bridging firewall. Using 157 a bridge with Network packet filtering enabled makes iptables "see" 158 the bridged traffic. For filtering on the lower network and Ethernet 159 protocols over the bridge, use ebtables (under bridge netfilter 160 configuration). 161 162 Various modules exist for netfilter which replace the previous 163 masquerading (ipmasqadm), packet filtering (ipchains), transparent 164 proxying, and portforwarding mechanisms. Please see 165 <file:Documentation/Changes> under "iptables" for the location of 166 these packages. 167 168if NETFILTER 169 170config NETFILTER_DEBUG 171 bool "Network packet filtering debugging" 172 depends on NETFILTER 173 help 174 You can say Y here if you want to get additional messages useful in 175 debugging the netfilter code. 176 177config NETFILTER_ADVANCED 178 bool "Advanced netfilter configuration" 179 depends on NETFILTER 180 default y 181 help 182 If you say Y here you can select between all the netfilter modules. 183 If you say N the more unusual ones will not be shown and the 184 basic ones needed by most people will default to 'M'. 185 186 If unsure, say Y. 187 188config BRIDGE_NETFILTER 189 tristate "Bridged IP/ARP packets filtering" 190 depends on BRIDGE 191 depends on NETFILTER && INET 192 depends on NETFILTER_ADVANCED 193 default m 194 ---help--- 195 Enabling this option will let arptables resp. iptables see bridged 196 ARP resp. IP traffic. If you want a bridging firewall, you probably 197 want this option enabled. 198 Enabling or disabling this option doesn't enable or disable 199 ebtables. 200 201 If unsure, say N. 202 203source "net/netfilter/Kconfig" 204source "net/ipv4/netfilter/Kconfig" 205source "net/ipv6/netfilter/Kconfig" 206source "net/decnet/netfilter/Kconfig" 207source "net/bridge/netfilter/Kconfig" 208 209endif 210 211source "net/dccp/Kconfig" 212source "net/sctp/Kconfig" 213source "net/rds/Kconfig" 214source "net/tipc/Kconfig" 215source "net/atm/Kconfig" 216source "net/l2tp/Kconfig" 217source "net/802/Kconfig" 218source "net/bridge/Kconfig" 219source "net/dsa/Kconfig" 220source "net/8021q/Kconfig" 221source "net/decnet/Kconfig" 222source "net/llc/Kconfig" 223source "net/ipx/Kconfig" 224source "drivers/net/appletalk/Kconfig" 225source "net/x25/Kconfig" 226source "net/lapb/Kconfig" 227source "net/phonet/Kconfig" 228source "net/6lowpan/Kconfig" 229source "net/ieee802154/Kconfig" 230source "net/mac802154/Kconfig" 231source "net/sched/Kconfig" 232source "net/dcb/Kconfig" 233source "net/dns_resolver/Kconfig" 234source "net/batman-adv/Kconfig" 235source "net/openvswitch/Kconfig" 236source "net/vmw_vsock/Kconfig" 237source "net/netlink/Kconfig" 238source "net/mpls/Kconfig" 239source "net/hsr/Kconfig" 240source "net/switchdev/Kconfig" 241source "net/l3mdev/Kconfig" 242 243config RPS 244 bool 245 depends on SMP && SYSFS 246 default y 247 248config RFS_ACCEL 249 bool 250 depends on RPS 251 select CPU_RMAP 252 default y 253 254config XPS 255 bool 256 depends on SMP 257 default y 258 259config CGROUP_NET_PRIO 260 bool "Network priority cgroup" 261 depends on CGROUPS 262 ---help--- 263 Cgroup subsystem for use in assigning processes to network priorities on 264 a per-interface basis. 265 266config CGROUP_NET_CLASSID 267 bool "Network classid cgroup" 268 depends on CGROUPS 269 ---help--- 270 Cgroup subsystem for use as general purpose socket classid marker that is 271 being used in cls_cgroup and for netfilter matching. 272 273config NET_RX_BUSY_POLL 274 bool 275 default y 276 277config BQL 278 bool 279 depends on SYSFS 280 select DQL 281 default y 282 283config BPF_JIT 284 bool "enable BPF Just In Time compiler" 285 depends on HAVE_BPF_JIT 286 depends on MODULES 287 ---help--- 288 Berkeley Packet Filter filtering capabilities are normally handled 289 by an interpreter. This option allows kernel to generate a native 290 code when filter is loaded in memory. This should speedup 291 packet sniffing (libpcap/tcpdump). Note : Admin should enable 292 this feature changing /proc/sys/net/core/bpf_jit_enable 293 294config NET_FLOW_LIMIT 295 bool 296 depends on RPS 297 default y 298 ---help--- 299 The network stack has to drop packets when a receive processing CPU's 300 backlog reaches netdev_max_backlog. If a few out of many active flows 301 generate the vast majority of load, drop their traffic earlier to 302 maintain capacity for the other flows. This feature provides servers 303 with many clients some protection against DoS by a single (spoofed) 304 flow that greatly exceeds average workload. 305 306menu "Network testing" 307 308config NET_PKTGEN 309 tristate "Packet Generator (USE WITH CAUTION)" 310 depends on INET && PROC_FS 311 ---help--- 312 This module will inject preconfigured packets, at a configurable 313 rate, out of a given interface. It is used for network interface 314 stress testing and performance analysis. If you don't understand 315 what was just said, you don't need it: say N. 316 317 Documentation on how to use the packet generator can be found 318 at <file:Documentation/networking/pktgen.txt>. 319 320 To compile this code as a module, choose M here: the 321 module will be called pktgen. 322 323config NET_TCPPROBE 324 tristate "TCP connection probing" 325 depends on INET && PROC_FS && KPROBES 326 ---help--- 327 This module allows for capturing the changes to TCP connection 328 state in response to incoming packets. It is used for debugging 329 TCP congestion avoidance modules. If you don't understand 330 what was just said, you don't need it: say N. 331 332 Documentation on how to use TCP connection probing can be found 333 at: 334 335 http://www.linuxfoundation.org/collaborate/workgroups/networking/tcpprobe 336 337 To compile this code as a module, choose M here: the 338 module will be called tcp_probe. 339 340config NET_DROP_MONITOR 341 tristate "Network packet drop alerting service" 342 depends on INET && TRACEPOINTS 343 ---help--- 344 This feature provides an alerting service to userspace in the 345 event that packets are discarded in the network stack. Alerts 346 are broadcast via netlink socket to any listening user space 347 process. If you don't need network drop alerts, or if you are ok 348 just checking the various proc files and other utilities for 349 drop statistics, say N here. 350 351endmenu 352 353endmenu 354 355source "net/ax25/Kconfig" 356source "net/can/Kconfig" 357source "net/irda/Kconfig" 358source "net/bluetooth/Kconfig" 359source "net/rxrpc/Kconfig" 360 361config FIB_RULES 362 bool 363 364menuconfig WIRELESS 365 bool "Wireless" 366 depends on !S390 367 default y 368 369if WIRELESS 370 371source "net/wireless/Kconfig" 372source "net/mac80211/Kconfig" 373 374endif # WIRELESS 375 376source "net/wimax/Kconfig" 377 378source "net/rfkill/Kconfig" 379source "net/9p/Kconfig" 380source "net/caif/Kconfig" 381source "net/ceph/Kconfig" 382source "net/nfc/Kconfig" 383 384config LWTUNNEL 385 bool "Network light weight tunnels" 386 ---help--- 387 This feature provides an infrastructure to support light weight 388 tunnels like mpls. There is no netdevice associated with a light 389 weight tunnel endpoint. Tunnel encapsulation parameters are stored 390 with light weight tunnel state associated with fib routes. 391 392config DST_CACHE 393 bool 394 default n 395 396endif # if NET 397 398# Used by archs to tell that they support BPF_JIT 399config HAVE_BPF_JIT 400 bool 401 402config HAVE_EBPF_JIT 403 bool 404