5 bool "IP: multicasting"
8 This is code for addressing several networked computers at once,
9 enlarging your kernel by about 2 KB. You need multicasting if you
10 intend to participate in the MBONE, a high bandwidth network on top
11 of the Internet which carries audio and video broadcasts. More
12 information about the MBONE is on the WWW at
13 <http://www-itg.lbl.gov/mbone/>. Information about the multicast
14 capabilities of the various network cards is contained in
15 <file:Documentation/networking/multicast.txt>. For most people, it's
18 config IP_ADVANCED_ROUTER
19 bool "IP: advanced router"
22 If you intend to run your Linux box mostly as a router, i.e. as a
23 computer that forwards and redistributes network packets, say Y; you
24 will then be presented with several options that allow more precise
25 control about the routing process.
27 The answer to this question won't directly affect the kernel:
28 answering N will just cause the configurator to skip all the
29 questions about advanced routing.
31 Note that your box can only act as a router if you enable IP
32 forwarding in your kernel; you can do that by saying Y to "/proc
33 file system support" and "Sysctl support" below and executing the
36 echo "1" > /proc/sys/net/ipv4/ip_forward
38 at boot time after the /proc file system has been mounted.
40 If you turn on IP forwarding, you will also get the rp_filter, which
41 automatically rejects incoming packets if the routing table entry
42 for their source address doesn't match the network interface they're
43 arriving on. This has security advantages because it prevents the
44 so-called IP spoofing, however it can pose problems if you use
45 asymmetric routing (packets from you to a host take a different path
46 than packets from that host to you) or if you operate a non-routing
47 host which has several IP addresses on different interfaces. To turn
50 echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
52 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
54 If unsure, say N here.
56 config IP_MULTIPLE_TABLES
57 bool "IP: policy routing"
58 depends on IP_ADVANCED_ROUTER
60 Normally, a router decides what to do with a received packet based
61 solely on the packet's final destination address. If you say Y here,
62 the Linux router will also be able to take the packet's source
63 address into account. Furthermore, if you also say Y to "Use TOS
64 value as routing key" below, the TOS (Type-Of-Service) field of the
65 packet can be used for routing decisions as well. In addition, if
66 you say Y here and to "Fast network address translation" below,
67 the router will also be able to modify source and destination
68 addresses of forwarded packets.
70 If you are interested in this, please see the preliminary
71 documentation at <http://www.compendium.com.ar/policy-routing.txt>
72 and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>.
73 You will need supporting software from
74 <ftp://ftp.tux.org/pub/net/ip-routing/>.
78 config IP_ROUTE_FWMARK
79 bool "IP: use netfilter MARK value as routing key"
80 depends on IP_MULTIPLE_TABLES && NETFILTER
82 If you say Y here, you will be able to specify different routes for
83 packets with different mark values (see iptables(8), MARK target).
86 bool "IP: fast network address translation"
87 depends on IP_MULTIPLE_TABLES
89 If you say Y here, your router will be able to modify source and
90 destination addresses of packets that pass through it, in a manner
91 you specify. General information about Network Address Translation
92 can be gotten from the document
93 <http://www.hasenstein.com/linux-ip-nat/diplom/nat.html>.
95 config IP_ROUTE_MULTIPATH
96 bool "IP: equal cost multipath"
97 depends on IP_ADVANCED_ROUTER
99 Normally, the routing tables specify a single action to be taken in
100 a deterministic manner for a given packet. If you say Y here
101 however, it becomes possible to attach several actions to a packet
102 pattern, in effect specifying several alternative paths to travel
103 for those packets. The router considers all these paths to be of
104 equal "cost" and chooses one of them in a non-deterministic fashion
105 if a matching packet arrives.
108 bool "IP: use TOS value as routing key"
109 depends on IP_ADVANCED_ROUTER
111 The header of every IP packet carries a TOS (Type Of Service) value
112 with which the packet requests a certain treatment, e.g. low
113 latency (for interactive traffic), high throughput, or high
114 reliability. If you say Y here, you will be able to specify
115 different routes for packets with different TOS values.
117 config IP_ROUTE_VERBOSE
118 bool "IP: verbose route monitoring"
119 depends on IP_ADVANCED_ROUTER
121 If you say Y here, which is recommended, then the kernel will print
122 verbose messages regarding the routing, for example warnings about
123 received packets which look strange and could be evidence of an
124 attack or a misconfigured system somewhere. The information is
125 handled by the klogd daemon which is responsible for kernel messages
129 bool "IP: kernel level autoconfiguration"
132 This enables automatic configuration of IP addresses of devices and
133 of the routing table during kernel boot, based on either information
134 supplied on the kernel command line or by BOOTP or RARP protocols.
135 You need to say Y only for diskless machines requiring network
136 access to boot (in which case you want to say Y to "Root file system
137 on NFS" as well), because all other machines configure the network
138 in their startup scripts.
141 bool "IP: DHCP support"
144 If you want your Linux box to mount its whole root file system (the
145 one containing the directory /) from some other computer over the
146 net via NFS and you want the IP address of your computer to be
147 discovered automatically at boot time using the DHCP protocol (a
148 special protocol designed for doing this job), say Y here. In case
149 the boot ROM of your network card was designed for booting Linux and
150 does DHCP itself, providing all necessary information on the kernel
151 command line, you can say N here.
153 If unsure, say Y. Note that if you want to use DHCP, a DHCP server
154 must be operating on your network. Read
155 <file:Documentation/nfsroot.txt> for details.
158 bool "IP: BOOTP support"
161 If you want your Linux box to mount its whole root file system (the
162 one containing the directory /) from some other computer over the
163 net via NFS and you want the IP address of your computer to be
164 discovered automatically at boot time using the BOOTP protocol (a
165 special protocol designed for doing this job), say Y here. In case
166 the boot ROM of your network card was designed for booting Linux and
167 does BOOTP itself, providing all necessary information on the kernel
168 command line, you can say N here. If unsure, say Y. Note that if you
169 want to use BOOTP, a BOOTP server must be operating on your network.
170 Read <file:Documentation/nfsroot.txt> for details.
173 bool "IP: RARP support"
176 If you want your Linux box to mount its whole root file system (the
177 one containing the directory /) from some other computer over the
178 net via NFS and you want the IP address of your computer to be
179 discovered automatically at boot time using the RARP protocol (an
180 older protocol which is being obsoleted by BOOTP and DHCP), say Y
181 here. Note that if you want to use RARP, a RARP server must be
182 operating on your network. Read <file:Documentation/nfsroot.txt> for
186 # bool ' IP: ARP support' CONFIG_IP_PNP_ARP
188 tristate "IP: tunneling"
192 Tunneling means encapsulating data of one protocol type within
193 another protocol and sending it over a channel that understands the
194 encapsulating protocol. This particular tunneling driver implements
195 encapsulation of IP within IP, which sounds kind of pointless, but
196 can be useful if you want to make your (or some other) machine
197 appear on a different network than it physically is, or to use
198 mobile-IP facilities (allowing laptops to seamlessly move between
199 networks without changing their IP addresses).
201 Saying Y to this option will produce two modules ( = code which can
202 be inserted in and removed from the running kernel whenever you
203 want). Most people won't need this and can say N.
206 tristate "IP: GRE tunnels over IP"
210 Tunneling means encapsulating data of one protocol type within
211 another protocol and sending it over a channel that understands the
212 encapsulating protocol. This particular tunneling driver implements
213 GRE (Generic Routing Encapsulation) and at this time allows
214 encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure.
215 This driver is useful if the other endpoint is a Cisco router: Cisco
216 likes GRE much better than the other Linux tunneling driver ("IP
217 tunneling" above). In addition, GRE allows multicast redistribution
220 config NET_IPGRE_BROADCAST
221 bool "IP: broadcast GRE over IP"
222 depends on IP_MULTICAST && NET_IPGRE
224 One application of GRE/IP is to construct a broadcast WAN (Wide Area
225 Network), which looks like a normal Ethernet LAN (Local Area
226 Network), but can be distributed all over the Internet. If you want
227 to do that, say Y here and to "IP multicast routing" below.
230 bool "IP: multicast routing"
231 depends on IP_MULTICAST
233 This is used if you want your machine to act as a router for IP
234 packets that have several destination addresses. It is needed on the
235 MBONE, a high bandwidth network on top of the Internet which carries
236 audio and video broadcasts. In order to do that, you would most
237 likely run the program mrouted. Information about the multicast
238 capabilities of the various network cards is contained in
239 <file:Documentation/networking/multicast.txt>. If you haven't heard
240 about it, you don't need it.
243 bool "IP: PIM-SM version 1 support"
246 Kernel side support for Sparse Mode PIM (Protocol Independent
247 Multicast) version 1. This multicast routing protocol is used widely
248 because Cisco supports it. You need special software to use it
249 (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more
250 information about PIM.
252 Say Y if you want to use PIM-SM v1. Note that you can say N here if
253 you just want to use Dense Mode PIM.
256 bool "IP: PIM-SM version 2 support"
259 Kernel side support for Sparse Mode PIM version 2. In order to use
260 this, you need an experimental routing daemon supporting it (pimd or
261 gated-5). This routing protocol is not used widely, so say N unless
262 you want to play with it.
265 bool "IP: ARP daemon support (EXPERIMENTAL)"
266 depends on INET && EXPERIMENTAL
268 Normally, the kernel maintains an internal cache which maps IP
269 addresses to hardware addresses on the local network, so that
270 Ethernet/Token Ring/ etc. frames are sent to the proper address on
271 the physical networking layer. For small networks having a few
272 hundred directly connected hosts or less, keeping this address
273 resolution (ARP) cache inside the kernel works well. However,
274 maintaining an internal ARP cache does not work well for very large
275 switched networks, and will use a lot of kernel memory if TCP/IP
276 connections are made to many machines on the network.
278 If you say Y here, the kernel's internal ARP cache will never grow
279 to more than 256 entries (the oldest entries are expired in a LIFO
280 manner) and communication will be attempted with the user space ARP
281 daemon arpd. Arpd then answers the address resolution request either
282 from its own cache or by asking the net.
284 This code is experimental and also obsolete. If you want to use it,
285 you need to find a version of the daemon arpd on the net somewhere,
286 and you should also say Y to "Kernel/User network link driver",
287 below. If unsure, say N.
290 bool "IP: TCP syncookie support (disabled per default)"
293 Normal TCP/IP networking is open to an attack known as "SYN
294 flooding". This denial-of-service attack prevents legitimate remote
295 users from being able to connect to your computer during an ongoing
296 attack and requires very little work from the attacker, who can
297 operate from anywhere on the Internet.
299 SYN cookies provide protection against this type of attack. If you
300 say Y here, the TCP/IP stack will use a cryptographic challenge
301 protocol known as "SYN cookies" to enable legitimate users to
302 continue to connect, even when your machine is under attack. There
303 is no need for the legitimate users to change their TCP/IP software;
304 SYN cookies work transparently to them. For technical information
305 about SYN cookies, check out <http://cr.yp.to/syncookies.html>.
307 If you are SYN flooded, the source address reported by the kernel is
308 likely to have been forged by the attacker; it is only reported as
309 an aid in tracing the packets to their actual source and should not
310 be taken as absolute truth.
312 SYN cookies may prevent correct error reporting on clients when the
313 server is really overloaded. If this happens frequently better turn
316 If you say Y here, note that SYN cookies aren't enabled by default;
317 you can enable them by saying Y to "/proc file system support" and
318 "Sysctl support" below and executing the command
320 echo 1 >/proc/sys/net/ipv4/tcp_syncookies
322 at boot time after the /proc file system has been mounted.
327 tristate "IP: AH transformation"
334 Support for IPsec AH.
339 tristate "IP: ESP transformation"
347 Support for IPsec ESP.
352 tristate "IP: IPComp transformation"
355 select CRYPTO_DEFLATE
357 Support for IP Paylod Compression (RFC3173), typically needed
363 bool "IP: TCP Multiple accept queues support"
364 depends on INET && NETFILTER
366 Support multiple accept queues per listening socket. If you say Y
367 here, multiple accept queues will be configured per listening
370 Each queue is mapped to a priority class. Incoming connection
371 requests can be classified (see iptables(8), MARK target), depending
372 on the packet's src/dest address or other parameters, into one of
373 the priority classes. The requests are then queued to the relevant
376 Each of the queues can be assigned a weight. The accept()ance
377 of packets is then scheduled in accordance with the weight
378 assigned to the priority class.
380 Be sure to enable "Network packet filtering" if you wish
385 source "net/ipv4/ipvs/Kconfig"
392 bool "ICMP: ICMP Ping-of-Death (Emulab)"
393 depends on INET && SYSCTL
395 Support immediately rebooting upon receiving a specially
396 formed ICMP type 6 packet whose payload matches a string
397 configured by the administrator.