5 bool "IP: multicasting"
8 This is code for addressing several networked computers at once,
9 enlarging your kernel by about 2 KB. You need multicasting if you
10 intend to participate in the MBONE, a high bandwidth network on top
11 of the Internet which carries audio and video broadcasts. More
12 information about the MBONE is on the WWW at
13 <http://www-itg.lbl.gov/mbone/>. Information about the multicast
14 capabilities of the various network cards is contained in
15 <file:Documentation/networking/multicast.txt>. For most people, it's
18 config IP_ADVANCED_ROUTER
19 bool "IP: advanced router"
22 If you intend to run your Linux box mostly as a router, i.e. as a
23 computer that forwards and redistributes network packets, say Y; you
24 will then be presented with several options that allow more precise
25 control about the routing process.
27 The answer to this question won't directly affect the kernel:
28 answering N will just cause the configurator to skip all the
29 questions about advanced routing.
31 Note that your box can only act as a router if you enable IP
32 forwarding in your kernel; you can do that by saying Y to "/proc
33 file system support" and "Sysctl support" below and executing the
36 echo "1" > /proc/sys/net/ipv4/ip_forward
38 at boot time after the /proc file system has been mounted.
40 If you turn on IP forwarding, you will also get the rp_filter, which
41 automatically rejects incoming packets if the routing table entry
42 for their source address doesn't match the network interface they're
43 arriving on. This has security advantages because it prevents the
44 so-called IP spoofing, however it can pose problems if you use
45 asymmetric routing (packets from you to a host take a different path
46 than packets from that host to you) or if you operate a non-routing
47 host which has several IP addresses on different interfaces. To turn
50 echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
52 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
54 If unsure, say N here.
56 config IP_MULTIPLE_TABLES
57 bool "IP: policy routing"
58 depends on IP_ADVANCED_ROUTER
60 Normally, a router decides what to do with a received packet based
61 solely on the packet's final destination address. If you say Y here,
62 the Linux router will also be able to take the packet's source
63 address into account. Furthermore, the TOS (Type-Of-Service) field
64 of the packet can be used for routing decisions as well.
66 If you are interested in this, please see the preliminary
67 documentation at <http://www.compendium.com.ar/policy-routing.txt>
68 and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>.
69 You will need supporting software from
70 <ftp://ftp.tux.org/pub/net/ip-routing/>.
74 config IP_ROUTE_FWMARK
75 bool "IP: use netfilter MARK value as routing key"
76 depends on IP_MULTIPLE_TABLES && NETFILTER
78 If you say Y here, you will be able to specify different routes for
79 packets with different mark values (see iptables(8), MARK target).
81 config IP_ROUTE_MULTIPATH
82 bool "IP: equal cost multipath"
83 depends on IP_ADVANCED_ROUTER
85 Normally, the routing tables specify a single action to be taken in
86 a deterministic manner for a given packet. If you say Y here
87 however, it becomes possible to attach several actions to a packet
88 pattern, in effect specifying several alternative paths to travel
89 for those packets. The router considers all these paths to be of
90 equal "cost" and chooses one of them in a non-deterministic fashion
91 if a matching packet arrives.
93 config IP_ROUTE_VERBOSE
94 bool "IP: verbose route monitoring"
95 depends on IP_ADVANCED_ROUTER
97 If you say Y here, which is recommended, then the kernel will print
98 verbose messages regarding the routing, for example warnings about
99 received packets which look strange and could be evidence of an
100 attack or a misconfigured system somewhere. The information is
101 handled by the klogd daemon which is responsible for kernel messages
105 bool "IP: kernel level autoconfiguration"
108 This enables automatic configuration of IP addresses of devices and
109 of the routing table during kernel boot, based on either information
110 supplied on the kernel command line or by BOOTP or RARP protocols.
111 You need to say Y only for diskless machines requiring network
112 access to boot (in which case you want to say Y to "Root file system
113 on NFS" as well), because all other machines configure the network
114 in their startup scripts.
117 bool "IP: DHCP support"
120 If you want your Linux box to mount its whole root file system (the
121 one containing the directory /) from some other computer over the
122 net via NFS and you want the IP address of your computer to be
123 discovered automatically at boot time using the DHCP protocol (a
124 special protocol designed for doing this job), say Y here. In case
125 the boot ROM of your network card was designed for booting Linux and
126 does DHCP itself, providing all necessary information on the kernel
127 command line, you can say N here.
129 If unsure, say Y. Note that if you want to use DHCP, a DHCP server
130 must be operating on your network. Read
131 <file:Documentation/nfsroot.txt> for details.
134 bool "IP: BOOTP support"
137 If you want your Linux box to mount its whole root file system (the
138 one containing the directory /) from some other computer over the
139 net via NFS and you want the IP address of your computer to be
140 discovered automatically at boot time using the BOOTP protocol (a
141 special protocol designed for doing this job), say Y here. In case
142 the boot ROM of your network card was designed for booting Linux and
143 does BOOTP itself, providing all necessary information on the kernel
144 command line, you can say N here. If unsure, say Y. Note that if you
145 want to use BOOTP, a BOOTP server must be operating on your network.
146 Read <file:Documentation/nfsroot.txt> for details.
149 bool "IP: RARP support"
152 If you want your Linux box to mount its whole root file system (the
153 one containing the directory /) from some other computer over the
154 net via NFS and you want the IP address of your computer to be
155 discovered automatically at boot time using the RARP protocol (an
156 older protocol which is being obsoleted by BOOTP and DHCP), say Y
157 here. Note that if you want to use RARP, a RARP server must be
158 operating on your network. Read <file:Documentation/nfsroot.txt> for
162 # bool ' IP: ARP support' CONFIG_IP_PNP_ARP
164 tristate "IP: tunneling"
168 Tunneling means encapsulating data of one protocol type within
169 another protocol and sending it over a channel that understands the
170 encapsulating protocol. This particular tunneling driver implements
171 encapsulation of IP within IP, which sounds kind of pointless, but
172 can be useful if you want to make your (or some other) machine
173 appear on a different network than it physically is, or to use
174 mobile-IP facilities (allowing laptops to seamlessly move between
175 networks without changing their IP addresses).
177 Saying Y to this option will produce two modules ( = code which can
178 be inserted in and removed from the running kernel whenever you
179 want). Most people won't need this and can say N.
182 tristate "IP: GRE tunnels over IP"
186 Tunneling means encapsulating data of one protocol type within
187 another protocol and sending it over a channel that understands the
188 encapsulating protocol. This particular tunneling driver implements
189 GRE (Generic Routing Encapsulation) and at this time allows
190 encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure.
191 This driver is useful if the other endpoint is a Cisco router: Cisco
192 likes GRE much better than the other Linux tunneling driver ("IP
193 tunneling" above). In addition, GRE allows multicast redistribution
196 config NET_IPGRE_BROADCAST
197 bool "IP: broadcast GRE over IP"
198 depends on IP_MULTICAST && NET_IPGRE
200 One application of GRE/IP is to construct a broadcast WAN (Wide Area
201 Network), which looks like a normal Ethernet LAN (Local Area
202 Network), but can be distributed all over the Internet. If you want
203 to do that, say Y here and to "IP multicast routing" below.
206 bool "IP: multicast routing"
207 depends on IP_MULTICAST
209 This is used if you want your machine to act as a router for IP
210 packets that have several destination addresses. It is needed on the
211 MBONE, a high bandwidth network on top of the Internet which carries
212 audio and video broadcasts. In order to do that, you would most
213 likely run the program mrouted. Information about the multicast
214 capabilities of the various network cards is contained in
215 <file:Documentation/networking/multicast.txt>. If you haven't heard
216 about it, you don't need it.
219 bool "IP: PIM-SM version 1 support"
222 Kernel side support for Sparse Mode PIM (Protocol Independent
223 Multicast) version 1. This multicast routing protocol is used widely
224 because Cisco supports it. You need special software to use it
225 (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more
226 information about PIM.
228 Say Y if you want to use PIM-SM v1. Note that you can say N here if
229 you just want to use Dense Mode PIM.
232 bool "IP: PIM-SM version 2 support"
235 Kernel side support for Sparse Mode PIM version 2. In order to use
236 this, you need an experimental routing daemon supporting it (pimd or
237 gated-5). This routing protocol is not used widely, so say N unless
238 you want to play with it.
241 bool "IP: ARP daemon support (EXPERIMENTAL)"
242 depends on INET && EXPERIMENTAL
244 Normally, the kernel maintains an internal cache which maps IP
245 addresses to hardware addresses on the local network, so that
246 Ethernet/Token Ring/ etc. frames are sent to the proper address on
247 the physical networking layer. For small networks having a few
248 hundred directly connected hosts or less, keeping this address
249 resolution (ARP) cache inside the kernel works well. However,
250 maintaining an internal ARP cache does not work well for very large
251 switched networks, and will use a lot of kernel memory if TCP/IP
252 connections are made to many machines on the network.
254 If you say Y here, the kernel's internal ARP cache will never grow
255 to more than 256 entries (the oldest entries are expired in a LIFO
256 manner) and communication will be attempted with the user space ARP
257 daemon arpd. Arpd then answers the address resolution request either
258 from its own cache or by asking the net.
260 This code is experimental and also obsolete. If you want to use it,
261 you need to find a version of the daemon arpd on the net somewhere,
262 and you should also say Y to "Kernel/User network link driver",
263 below. If unsure, say N.
266 bool "IP: TCP syncookie support (disabled per default)"
269 Normal TCP/IP networking is open to an attack known as "SYN
270 flooding". This denial-of-service attack prevents legitimate remote
271 users from being able to connect to your computer during an ongoing
272 attack and requires very little work from the attacker, who can
273 operate from anywhere on the Internet.
275 SYN cookies provide protection against this type of attack. If you
276 say Y here, the TCP/IP stack will use a cryptographic challenge
277 protocol known as "SYN cookies" to enable legitimate users to
278 continue to connect, even when your machine is under attack. There
279 is no need for the legitimate users to change their TCP/IP software;
280 SYN cookies work transparently to them. For technical information
281 about SYN cookies, check out <http://cr.yp.to/syncookies.html>.
283 If you are SYN flooded, the source address reported by the kernel is
284 likely to have been forged by the attacker; it is only reported as
285 an aid in tracing the packets to their actual source and should not
286 be taken as absolute truth.
288 SYN cookies may prevent correct error reporting on clients when the
289 server is really overloaded. If this happens frequently better turn
292 If you say Y here, note that SYN cookies aren't enabled by default;
293 you can enable them by saying Y to "/proc file system support" and
294 "Sysctl support" below and executing the command
296 echo 1 >/proc/sys/net/ipv4/tcp_syncookies
298 at boot time after the /proc file system has been mounted.
303 tristate "IP: AH transformation"
311 Support for IPsec AH.
316 tristate "IP: ESP transformation"
325 Support for IPsec ESP.
330 tristate "IP: IPComp transformation"
335 select CRYPTO_DEFLATE
337 Support for IP Payload Compression Protocol (IPComp) (RFC3173),
338 typically needed for IPsec.
343 tristate "IP: tunnel transformation"
347 Support for generic IP tunnel transformation, which is required by
348 the IP tunneling module as well as tunnel mode IPComp.
353 tristate "IP: TCP socket monitoring interface"
357 Support for TCP socket monitoring interface used by native Linux
358 tools such as ss. ss is included in iproute2, currently downloadable
359 at <http://developer.osdl.org/dev/iproute2>. If you want IPv6 support
360 and have selected IPv6 as a module, you need to build this as a
365 config IP_TCPDIAG_IPV6
366 def_bool (IP_TCPDIAG=y && IPV6=y) || (IP_TCPDIAG=m && IPV6)
368 source "net/ipv4/ipvs/Kconfig"
git://git.onelab.eu / linux-2.6.git / blob