| blob | ab116cb70945a7064777b06a735da3a00310fd0d |
1 #
2 # IP configuration
3 #
4 config IP_MULTICAST
5 bool "IP: multicasting"
6 depends on INET
7 help
8 This is code for addressing several networked computers at once,
9 enlarging your kernel by about 2 KB. You need multicasting if you
10 intend to participate in the MBONE, a high bandwidth network on top
11 of the Internet which carries audio and video broadcasts. More
12 information about the MBONE is on the WWW at
13 <http://www-itg.lbl.gov/mbone/>. Information about the multicast
14 capabilities of the various network cards is contained in
15 <file:Documentation/networking/multicast.txt>. For most people, it's
16 safe to say N.
18 config IP_ADVANCED_ROUTER
19 bool "IP: advanced router"
20 depends on INET
21 ---help---
22 If you intend to run your Linux box mostly as a router, i.e. as a
23 computer that forwards and redistributes network packets, say Y; you
24 will then be presented with several options that allow more precise
25 control about the routing process.
27 The answer to this question won't directly affect the kernel:
28 answering N will just cause the configurator to skip all the
29 questions about advanced routing.
31 Note that your box can only act as a router if you enable IP
32 forwarding in your kernel; you can do that by saying Y to "/proc
33 file system support" and "Sysctl support" below and executing the
34 line
36 echo "1" > /proc/sys/net/ipv4/ip_forward
38 at boot time after the /proc file system has been mounted.
40 If you turn on IP forwarding, you will also get the rp_filter, which
41 automatically rejects incoming packets if the routing table entry
42 for their source address doesn't match the network interface they're
43 arriving on. This has security advantages because it prevents the
44 so-called IP spoofing, however it can pose problems if you use
45 asymmetric routing (packets from you to a host take a different path
46 than packets from that host to you) or if you operate a non-routing
47 host which has several IP addresses on different interfaces. To turn
48 rp_filter off use:
50 echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
51 or
52 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
54 If unsure, say N here.
56 config IP_MULTIPLE_TABLES
57 bool "IP: policy routing"
58 depends on IP_ADVANCED_ROUTER
59 ---help---
60 Normally, a router decides what to do with a received packet based
61 solely on the packet's final destination address. If you say Y here,
62 the Linux router will also be able to take the packet's source
63 address into account. Furthermore, the TOS (Type-Of-Service) field
64 of the packet can be used for routing decisions as well.
66 If you are interested in this, please see the preliminary
67 documentation at <http://www.compendium.com.ar/policy-routing.txt>
68 and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>.
69 You will need supporting software from
70 <ftp://ftp.tux.org/pub/net/ip-routing/>.
72 If unsure, say N.
74 config IP_ROUTE_FWMARK
75 bool "IP: use netfilter MARK value as routing key"
76 depends on IP_MULTIPLE_TABLES && NETFILTER
77 help
78 If you say Y here, you will be able to specify different routes for
79 packets with different mark values (see iptables(8), MARK target).
81 config IP_ROUTE_MULTIPATH
82 bool "IP: equal cost multipath"
83 depends on IP_ADVANCED_ROUTER
84 help
85 Normally, the routing tables specify a single action to be taken in
86 a deterministic manner for a given packet. If you say Y here
87 however, it becomes possible to attach several actions to a packet
88 pattern, in effect specifying several alternative paths to travel
89 for those packets. The router considers all these paths to be of
90 equal "cost" and chooses one of them in a non-deterministic fashion
91 if a matching packet arrives.
93 config IP_ROUTE_VERBOSE
94 bool "IP: verbose route monitoring"
95 depends on IP_ADVANCED_ROUTER
96 help
97 If you say Y here, which is recommended, then the kernel will print
98 verbose messages regarding the routing, for example warnings about
99 received packets which look strange and could be evidence of an
100 attack or a misconfigured system somewhere. The information is
101 handled by the klogd daemon which is responsible for kernel messages
102 ("man klogd").
104 config IP_PNP
105 bool "IP: kernel level autoconfiguration"
106 depends on INET
107 help
108 This enables automatic configuration of IP addresses of devices and
109 of the routing table during kernel boot, based on either information
110 supplied on the kernel command line or by BOOTP or RARP protocols.
111 You need to say Y only for diskless machines requiring network
112 access to boot (in which case you want to say Y to "Root file system
113 on NFS" as well), because all other machines configure the network
114 in their startup scripts.
116 config IP_PNP_DHCP
117 bool "IP: DHCP support"
118 depends on IP_PNP
119 ---help---
120 If you want your Linux box to mount its whole root file system (the
121 one containing the directory /) from some other computer over the
122 net via NFS and you want the IP address of your computer to be
123 discovered automatically at boot time using the DHCP protocol (a
124 special protocol designed for doing this job), say Y here. In case
125 the boot ROM of your network card was designed for booting Linux and
126 does DHCP itself, providing all necessary information on the kernel
127 command line, you can say N here.
129 If unsure, say Y. Note that if you want to use DHCP, a DHCP server
130 must be operating on your network. Read
131 <file:Documentation/nfsroot.txt> for details.
133 config IP_PNP_BOOTP
134 bool "IP: BOOTP support"
135 depends on IP_PNP
136 ---help---
137 If you want your Linux box to mount its whole root file system (the
138 one containing the directory /) from some other computer over the
139 net via NFS and you want the IP address of your computer to be
140 discovered automatically at boot time using the BOOTP protocol (a
141 special protocol designed for doing this job), say Y here. In case
142 the boot ROM of your network card was designed for booting Linux and
143 does BOOTP itself, providing all necessary information on the kernel
144 command line, you can say N here. If unsure, say Y. Note that if you
145 want to use BOOTP, a BOOTP server must be operating on your network.
146 Read <file:Documentation/nfsroot.txt> for details.
148 config IP_PNP_RARP
149 bool "IP: RARP support"
150 depends on IP_PNP
151 help
152 If you want your Linux box to mount its whole root file system (the
153 one containing the directory /) from some other computer over the
154 net via NFS and you want the IP address of your computer to be
155 discovered automatically at boot time using the RARP protocol (an
156 older protocol which is being obsoleted by BOOTP and DHCP), say Y
157 here. Note that if you want to use RARP, a RARP server must be
158 operating on your network. Read <file:Documentation/nfsroot.txt> for
159 details.
161 # not yet ready..
162 # bool ' IP: ARP support' CONFIG_IP_PNP_ARP
163 config NET_IPIP
164 tristate "IP: tunneling"
165 depends on INET
166 select INET_TUNNEL
167 ---help---
168 Tunneling means encapsulating data of one protocol type within
169 another protocol and sending it over a channel that understands the
170 encapsulating protocol. This particular tunneling driver implements
171 encapsulation of IP within IP, which sounds kind of pointless, but
172 can be useful if you want to make your (or some other) machine
173 appear on a different network than it physically is, or to use
174 mobile-IP facilities (allowing laptops to seamlessly move between
175 networks without changing their IP addresses).
177 Saying Y to this option will produce two modules ( = code which can
178 be inserted in and removed from the running kernel whenever you
179 want). Most people won't need this and can say N.
181 config NET_IPGRE
182 tristate "IP: GRE tunnels over IP"
183 depends on INET
184 select XFRM
185 help
186 Tunneling means encapsulating data of one protocol type within
187 another protocol and sending it over a channel that understands the
188 encapsulating protocol. This particular tunneling driver implements
189 GRE (Generic Routing Encapsulation) and at this time allows
190 encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure.
191 This driver is useful if the other endpoint is a Cisco router: Cisco
192 likes GRE much better than the other Linux tunneling driver ("IP
193 tunneling" above). In addition, GRE allows multicast redistribution
194 through the tunnel.
196 config NET_IPGRE_BROADCAST
197 bool "IP: broadcast GRE over IP"
198 depends on IP_MULTICAST && NET_IPGRE
199 help
200 One application of GRE/IP is to construct a broadcast WAN (Wide Area
201 Network), which looks like a normal Ethernet LAN (Local Area
202 Network), but can be distributed all over the Internet. If you want
203 to do that, say Y here and to "IP multicast routing" below.
205 config IP_MROUTE
206 bool "IP: multicast routing"
207 depends on IP_MULTICAST
208 help
209 This is used if you want your machine to act as a router for IP
210 packets that have several destination addresses. It is needed on the
211 MBONE, a high bandwidth network on top of the Internet which carries
212 audio and video broadcasts. In order to do that, you would most
213 likely run the program mrouted. Information about the multicast
214 capabilities of the various network cards is contained in
215 <file:Documentation/networking/multicast.txt>. If you haven't heard
216 about it, you don't need it.
218 config IP_PIMSM_V1
219 bool "IP: PIM-SM version 1 support"
220 depends on IP_MROUTE
221 help
222 Kernel side support for Sparse Mode PIM (Protocol Independent
223 Multicast) version 1. This multicast routing protocol is used widely
224 because Cisco supports it. You need special software to use it
225 (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more
226 information about PIM.
228 Say Y if you want to use PIM-SM v1. Note that you can say N here if
229 you just want to use Dense Mode PIM.
231 config IP_PIMSM_V2
232 bool "IP: PIM-SM version 2 support"
233 depends on IP_MROUTE
234 help
235 Kernel side support for Sparse Mode PIM version 2. In order to use
236 this, you need an experimental routing daemon supporting it (pimd or
237 gated-5). This routing protocol is not used widely, so say N unless
238 you want to play with it.
240 config ARPD
241 bool "IP: ARP daemon support (EXPERIMENTAL)"
242 depends on INET && EXPERIMENTAL
243 ---help---
244 Normally, the kernel maintains an internal cache which maps IP
245 addresses to hardware addresses on the local network, so that
246 Ethernet/Token Ring/ etc. frames are sent to the proper address on
247 the physical networking layer. For small networks having a few
248 hundred directly connected hosts or less, keeping this address
249 resolution (ARP) cache inside the kernel works well. However,
250 maintaining an internal ARP cache does not work well for very large
251 switched networks, and will use a lot of kernel memory if TCP/IP
252 connections are made to many machines on the network.
254 If you say Y here, the kernel's internal ARP cache will never grow
255 to more than 256 entries (the oldest entries are expired in a LIFO
256 manner) and communication will be attempted with the user space ARP
257 daemon arpd. Arpd then answers the address resolution request either
258 from its own cache or by asking the net.
260 This code is experimental and also obsolete. If you want to use it,
261 you need to find a version of the daemon arpd on the net somewhere,
262 and you should also say Y to "Kernel/User network link driver",
263 below. If unsure, say N.
265 config SYN_COOKIES
266 bool "IP: TCP syncookie support (disabled per default)"
267 depends on INET
268 ---help---
269 Normal TCP/IP networking is open to an attack known as "SYN
270 flooding". This denial-of-service attack prevents legitimate remote
271 users from being able to connect to your computer during an ongoing
272 attack and requires very little work from the attacker, who can
273 operate from anywhere on the Internet.
275 SYN cookies provide protection against this type of attack. If you
276 say Y here, the TCP/IP stack will use a cryptographic challenge
277 protocol known as "SYN cookies" to enable legitimate users to
278 continue to connect, even when your machine is under attack. There
279 is no need for the legitimate users to change their TCP/IP software;
280 SYN cookies work transparently to them. For technical information
281 about SYN cookies, check out <http://cr.yp.to/syncookies.html>.
283 If you are SYN flooded, the source address reported by the kernel is
284 likely to have been forged by the attacker; it is only reported as
285 an aid in tracing the packets to their actual source and should not
286 be taken as absolute truth.
288 SYN cookies may prevent correct error reporting on clients when the
289 server is really overloaded. If this happens frequently better turn
290 them off.
292 If you say Y here, note that SYN cookies aren't enabled by default;
293 you can enable them by saying Y to "/proc file system support" and
294 "Sysctl support" below and executing the command
296 echo 1 >/proc/sys/net/ipv4/tcp_syncookies
298 at boot time after the /proc file system has been mounted.
300 If unsure, say N.
302 config INET_AH
303 tristate "IP: AH transformation"
304 select XFRM
305 select CRYPTO
306 select CRYPTO_HMAC
307 select CRYPTO_MD5
308 select CRYPTO_SHA1
309 ---help---
310 Support for IPsec AH.
312 If unsure, say Y.
314 config INET_ESP
315 tristate "IP: ESP transformation"
316 select XFRM
317 select CRYPTO
318 select CRYPTO_HMAC
319 select CRYPTO_MD5
320 select CRYPTO_SHA1
321 select CRYPTO_DES
322 ---help---
323 Support for IPsec ESP.
325 If unsure, say Y.
327 config INET_IPCOMP
328 tristate "IP: IPComp transformation"
329 select XFRM
330 select INET_TUNNEL
331 select CRYPTO
332 select CRYPTO_DEFLATE
333 ---help---
334 Support for IP Paylod Compression (RFC3173), typically needed
335 for IPsec.
337 If unsure, say Y.
339 config INET_TUNNEL
340 tristate "IP: tunnel transformation"
341 select XFRM
342 ---help---
343 Support for generic IP tunnel transformation, which is required by
344 the IP tunneling module as well as tunnel mode IPComp.
346 If unsure, say Y.
348 source "net/ipv4/ipvs/Kconfig"