1# 2# IP configuration 3# 4config IP_MULTICAST 5 bool "IP: multicasting" 6 depends on INET 7 help 8 This is code for addressing several networked computers at once, 9 enlarging your kernel by about 2 KB. You need multicasting if you 10 intend to participate in the MBONE, a high bandwidth network on top 11 of the Internet which carries audio and video broadcasts. More 12 information about the MBONE is on the WWW at 13 <http://www-itg.lbl.gov/mbone/>. Information about the multicast 14 capabilities of the various network cards is contained in 15 <file:Documentation/networking/multicast.txt>. For most people, it's 16 safe to say N. 17 18config IP_ADVANCED_ROUTER 19 bool "IP: advanced router" 20 depends on INET 21 ---help--- 22 If you intend to run your Linux box mostly as a router, i.e. as a 23 computer that forwards and redistributes network packets, say Y; you 24 will then be presented with several options that allow more precise 25 control about the routing process. 26 27 The answer to this question won't directly affect the kernel: 28 answering N will just cause the configurator to skip all the 29 questions about advanced routing. 30 31 Note that your box can only act as a router if you enable IP 32 forwarding in your kernel; you can do that by saying Y to "/proc 33 file system support" and "Sysctl support" below and executing the 34 line 35 36 echo "1" > /proc/sys/net/ipv4/ip_forward 37 38 at boot time after the /proc file system has been mounted. 39 40 If you turn on IP forwarding, you will also get the rp_filter, which 41 automatically rejects incoming packets if the routing table entry 42 for their source address doesn't match the network interface they're 43 arriving on. This has security advantages because it prevents the 44 so-called IP spoofing, however it can pose problems if you use 45 asymmetric routing (packets from you to a host take a different path 46 than packets from that host to you) or if you operate a non-routing 47 host which has several IP addresses on different interfaces. To turn 48 rp_filter off use: 49 50 echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter 51 or 52 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter 53 54 If unsure, say N here. 55 56config IP_MULTIPLE_TABLES 57 bool "IP: policy routing" 58 depends on IP_ADVANCED_ROUTER 59 ---help--- 60 Normally, a router decides what to do with a received packet based 61 solely on the packet's final destination address. If you say Y here, 62 the Linux router will also be able to take the packet's source 63 address into account. Furthermore, if you also say Y to "Use TOS 64 value as routing key" below, the TOS (Type-Of-Service) field of the 65 packet can be used for routing decisions as well. In addition, if 66 you say Y here and to "Fast network address translation" below, 67 the router will also be able to modify source and destination 68 addresses of forwarded packets. 69 70 If you are interested in this, please see the preliminary 71 documentation at <http://www.compendium.com.ar/policy-routing.txt> 72 and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>. 73 You will need supporting software from 74 <ftp://ftp.inr.ac.ru/ip-routing/>. 75 76 If unsure, say N. 77 78config IP_ROUTE_FWMARK 79 bool "IP: use netfilter MARK value as routing key" 80 depends on IP_MULTIPLE_TABLES && NETFILTER 81 help 82 If you say Y here, you will be able to specify different routes for 83 packets with different mark values (see iptables(8), MARK target). 84 85config IP_ROUTE_NAT 86 bool "IP: fast network address translation" 87 depends on IP_MULTIPLE_TABLES 88 help 89 If you say Y here, your router will be able to modify source and 90 destination addresses of packets that pass through it, in a manner 91 you specify. General information about Network Address Translation 92 can be gotten from the document 93 <http://www.csn.tu-chemnitz.de/~mha/linux-ip-nat/diplom/nat.html>. 94 95config IP_ROUTE_MULTIPATH 96 bool "IP: equal cost multipath" 97 depends on IP_ADVANCED_ROUTER 98 help 99 Normally, the routing tables specify a single action to be taken in 100 a deterministic manner for a given packet. If you say Y here 101 however, it becomes possible to attach several actions to a packet 102 pattern, in effect specifying several alternative paths to travel 103 for those packets. The router considers all these paths to be of 104 equal "cost" and chooses one of them in a non-deterministic fashion 105 if a matching packet arrives. 106 107config IP_ROUTE_TOS 108 bool "IP: use TOS value as routing key" 109 depends on IP_ADVANCED_ROUTER 110 help 111 The header of every IP packet carries a TOS (Type Of Service) value 112 with which the packet requests a certain treatment, e.g. low 113 latency (for interactive traffic), high throughput, or high 114 reliability. If you say Y here, you will be able to specify 115 different routes for packets with different TOS values. 116 117config IP_ROUTE_VERBOSE 118 bool "IP: verbose route monitoring" 119 depends on IP_ADVANCED_ROUTER 120 help 121 If you say Y here, which is recommended, then the kernel will print 122 verbose messages regarding the routing, for example warnings about 123 received packets which look strange and could be evidence of an 124 attack or a misconfigured system somewhere. The information is 125 handled by the klogd daemon which is responsible for kernel messages 126 ("man klogd"). 127 128config IP_PNP 129 bool "IP: kernel level autoconfiguration" 130 depends on INET 131 help 132 This enables automatic configuration of IP addresses of devices and 133 of the routing table during kernel boot, based on either information 134 supplied on the kernel command line or by BOOTP or RARP protocols. 135 You need to say Y only for diskless machines requiring network 136 access to boot (in which case you want to say Y to "Root file system 137 on NFS" as well), because all other machines configure the network 138 in their startup scripts. 139 140config IP_PNP_DHCP 141 bool "IP: DHCP support" 142 depends on IP_PNP 143 ---help--- 144 If you want your Linux box to mount its whole root file system (the 145 one containing the directory /) from some other computer over the 146 net via NFS and you want the IP address of your computer to be 147 discovered automatically at boot time using the DHCP protocol (a 148 special protocol designed for doing this job), say Y here. In case 149 the boot ROM of your network card was designed for booting Linux and 150 does DHCP itself, providing all necessary information on the kernel 151 command line, you can say N here. 152 153 If unsure, say Y. Note that if you want to use DHCP, a DHCP server 154 must be operating on your network. Read 155 <file:Documentation/nfsroot.txt> for details. 156 157config IP_PNP_BOOTP 158 bool "IP: BOOTP support" 159 depends on IP_PNP 160 ---help--- 161 If you want your Linux box to mount its whole root file system (the 162 one containing the directory /) from some other computer over the 163 net via NFS and you want the IP address of your computer to be 164 discovered automatically at boot time using the BOOTP protocol (a 165 special protocol designed for doing this job), say Y here. In case 166 the boot ROM of your network card was designed for booting Linux and 167 does BOOTP itself, providing all necessary information on the kernel 168 command line, you can say N here. If unsure, say Y. Note that if you 169 want to use BOOTP, a BOOTP server must be operating on your network. 170 Read <file:Documentation/nfsroot.txt> for details. 171 172config IP_PNP_RARP 173 bool "IP: RARP support" 174 depends on IP_PNP 175 help 176 If you want your Linux box to mount its whole root file system (the 177 one containing the directory /) from some other computer over the 178 net via NFS and you want the IP address of your computer to be 179 discovered automatically at boot time using the RARP protocol (an 180 older protocol which is being obsoleted by BOOTP and DHCP), say Y 181 here. Note that if you want to use RARP, a RARP server must be 182 operating on your network. Read <file:Documentation/nfsroot.txt> for 183 details. 184 185# not yet ready.. 186# bool ' IP: ARP support' CONFIG_IP_PNP_ARP 187config NET_IPIP 188 tristate "IP: tunneling" 189 depends on INET 190 select XFRM 191 ---help--- 192 Tunneling means encapsulating data of one protocol type within 193 another protocol and sending it over a channel that understands the 194 encapsulating protocol. This particular tunneling driver implements 195 encapsulation of IP within IP, which sounds kind of pointless, but 196 can be useful if you want to make your (or some other) machine 197 appear on a different network than it physically is, or to use 198 mobile-IP facilities (allowing laptops to seamlessly move between 199 networks without changing their IP addresses; check out 200 <http://anchor.cs.binghamton.edu/~mobileip/LJ/index.html>). 201 202 Saying Y to this option will produce two modules ( = code which can 203 be inserted in and removed from the running kernel whenever you 204 want). Most people won't need this and can say N. 205 206config NET_IPGRE 207 tristate "IP: GRE tunnels over IP" 208 depends on INET 209 select XFRM 210 help 211 Tunneling means encapsulating data of one protocol type within 212 another protocol and sending it over a channel that understands the 213 encapsulating protocol. This particular tunneling driver implements 214 GRE (Generic Routing Encapsulation) and at this time allows 215 encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure. 216 This driver is useful if the other endpoint is a Cisco router: Cisco 217 likes GRE much better than the other Linux tunneling driver ("IP 218 tunneling" above). In addition, GRE allows multicast redistribution 219 through the tunnel. 220 221config NET_IPGRE_BROADCAST 222 bool "IP: broadcast GRE over IP" 223 depends on IP_MULTICAST && NET_IPGRE 224 help 225 One application of GRE/IP is to construct a broadcast WAN (Wide Area 226 Network), which looks like a normal Ethernet LAN (Local Area 227 Network), but can be distributed all over the Internet. If you want 228 to do that, say Y here and to "IP multicast routing" below. 229 230config IP_MROUTE 231 bool "IP: multicast routing" 232 depends on IP_MULTICAST 233 help 234 This is used if you want your machine to act as a router for IP 235 packets that have several destination addresses. It is needed on the 236 MBONE, a high bandwidth network on top of the Internet which carries 237 audio and video broadcasts. In order to do that, you would most 238 likely run the program mrouted. Information about the multicast 239 capabilities of the various network cards is contained in 240 <file:Documentation/networking/multicast.txt>. If you haven't heard 241 about it, you don't need it. 242 243config IP_PIMSM_V1 244 bool "IP: PIM-SM version 1 support" 245 depends on IP_MROUTE 246 help 247 Kernel side support for Sparse Mode PIM (Protocol Independent 248 Multicast) version 1. This multicast routing protocol is used widely 249 because Cisco supports it. You need special software to use it 250 (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more 251 information about PIM. 252 253 Say Y if you want to use PIM-SM v1. Note that you can say N here if 254 you just want to use Dense Mode PIM. 255 256config IP_PIMSM_V2 257 bool "IP: PIM-SM version 2 support" 258 depends on IP_MROUTE 259 help 260 Kernel side support for Sparse Mode PIM version 2. In order to use 261 this, you need an experimental routing daemon supporting it (pimd or 262 gated-5). This routing protocol is not used widely, so say N unless 263 you want to play with it. 264 265config ARPD 266 bool "IP: ARP daemon support (EXPERIMENTAL)" 267 depends on INET && EXPERIMENTAL 268 ---help--- 269 Normally, the kernel maintains an internal cache which maps IP 270 addresses to hardware addresses on the local network, so that 271 Ethernet/Token Ring/ etc. frames are sent to the proper address on 272 the physical networking layer. For small networks having a few 273 hundred directly connected hosts or less, keeping this address 274 resolution (ARP) cache inside the kernel works well. However, 275 maintaining an internal ARP cache does not work well for very large 276 switched networks, and will use a lot of kernel memory if TCP/IP 277 connections are made to many machines on the network. 278 279 If you say Y here, the kernel's internal ARP cache will never grow 280 to more than 256 entries (the oldest entries are expired in a LIFO 281 manner) and communication will be attempted with the user space ARP 282 daemon arpd. Arpd then answers the address resolution request either 283 from its own cache or by asking the net. 284 285 This code is experimental and also obsolete. If you want to use it, 286 you need to find a version of the daemon arpd on the net somewhere, 287 and you should also say Y to "Kernel/User network link driver", 288 below. If unsure, say N. 289 290config INET_ECN 291 bool "IP: TCP Explicit Congestion Notification support" 292 depends on INET 293 ---help--- 294 Explicit Congestion Notification (ECN) allows routers to notify 295 clients about network congestion, resulting in fewer dropped packets 296 and increased network performance. This option adds ECN support to 297 the Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn) 298 which allows ECN support to be disabled at runtime. 299 300 Note that, on the Internet, there are many broken firewalls which 301 refuse connections from ECN-enabled machines, and it may be a while 302 before these firewalls are fixed. Until then, to access a site 303 behind such a firewall (some of which are major sites, at the time 304 of this writing) you will have to disable this option, either by 305 saying N now or by using the sysctl. 306 307 If in doubt, say N. 308 309config SYN_COOKIES 310 bool "IP: TCP syncookie support (disabled per default)" 311 depends on INET 312 ---help--- 313 Normal TCP/IP networking is open to an attack known as "SYN 314 flooding". This denial-of-service attack prevents legitimate remote 315 users from being able to connect to your computer during an ongoing 316 attack and requires very little work from the attacker, who can 317 operate from anywhere on the Internet. 318 319 SYN cookies provide protection against this type of attack. If you 320 say Y here, the TCP/IP stack will use a cryptographic challenge 321 protocol known as "SYN cookies" to enable legitimate users to 322 continue to connect, even when your machine is under attack. There 323 is no need for the legitimate users to change their TCP/IP software; 324 SYN cookies work transparently to them. For technical information 325 about SYN cookies, check out <http://cr.yp.to/syncookies.html>. 326 327 If you are SYN flooded, the source address reported by the kernel is 328 likely to have been forged by the attacker; it is only reported as 329 an aid in tracing the packets to their actual source and should not 330 be taken as absolute truth. 331 332 SYN cookies may prevent correct error reporting on clients when the 333 server is really overloaded. If this happens frequently better turn 334 them off. 335 336 If you say Y here, note that SYN cookies aren't enabled by default; 337 you can enable them by saying Y to "/proc file system support" and 338 "Sysctl support" below and executing the command 339 340 echo 1 >/proc/sys/net/ipv4/tcp_syncookies 341 342 at boot time after the /proc file system has been mounted. 343 344 If unsure, say N. 345 346config INET_AH 347 tristate "IP: AH transformation" 348 select XFRM 349 select CRYPTO 350 select CRYPTO_HMAC 351 select CRYPTO_MD5 352 select CRYPTO_SHA1 353 ---help--- 354 Support for IPsec AH. 355 356 If unsure, say Y. 357 358config INET_ESP 359 tristate "IP: ESP transformation" 360 select XFRM 361 select CRYPTO 362 select CRYPTO_HMAC 363 select CRYPTO_MD5 364 select CRYPTO_SHA1 365 select CRYPTO_DES 366 ---help--- 367 Support for IPsec ESP. 368 369 If unsure, say Y. 370 371config INET_IPCOMP 372 tristate "IP: IPComp transformation" 373 select XFRM 374 select CRYPTO 375 select CRYPTO_DEFLATE 376 ---help--- 377 Support for IP Paylod Compression (RFC3173), typically needed 378 for IPsec. 379 380 If unsure, say Y. 381 382source "net/ipv4/ipvs/Kconfig" 383 384