1
2
3
4
5menuconfig NET
6 bool "Networking support"
7 select NLATTR
8 select GENERIC_NET_UTILS
9 select BPF
10 ---help---
11 Unless you really know what you are doing, you should say Y here.
12 The reason is that some programs need kernel networking support even
13 when running on a stand-alone machine that isn't connected to any
14 other computer.
15
16 If you are upgrading from an older kernel, you
17 should consider updating your networking tools too because changes
18 in the kernel and the tools often go hand in hand. The tools are
19 contained in the package net-tools, the location and version number
20 of which are given in <file:Documentation/Changes>.
21
22 For a general introduction to Linux networking, it is highly
23 recommended to read the NET-HOWTO, available from
24 <http://www.tldp.org/docs.html
25
26if NET
27
28config WANT_COMPAT_NETLINK_MESSAGES
29 bool
30 help
31 This option can be selected by other options that need compat
32 netlink messages.
33
34config COMPAT_NETLINK_MESSAGES
35 def_bool y
36 depends on COMPAT
37 depends on WEXT_CORE || WANT_COMPAT_NETLINK_MESSAGES
38 help
39 This option makes it possible to send different netlink messages
40 to tasks depending on whether the task is a compat task or not. To
41 achieve this, you need to set skb_shinfo(skb)->frag_list to the
42 compat skb before sending the skb, the netlink code will sort out
43 which message to actually pass to the task.
44
45 Newly written code should NEVER need this option but do
46 compat-independent messages instead!
47
48config NET_INGRESS
49 bool
50
51config NET_EGRESS
52 bool
53
54config SKB_EXTENSIONS
55 bool
56
57menu "Networking options"
58
59source "net/packet/Kconfig"
60source "net/unix/Kconfig"
61source "net/tls/Kconfig"
62source "net/xfrm/Kconfig"
63source "net/iucv/Kconfig"
64source "net/smc/Kconfig"
65source "net/xdp/Kconfig"
66
67config INET
68 bool "TCP/IP networking"
69 select CRYPTO
70 select CRYPTO_AES
71 ---help---
72 These are the protocols used on the Internet and on most local
73 Ethernets. It is highly recommended to say Y here (this will enlarge
74 your kernel by about 400 KB), since some programs (e.g. the X window
75 system) use TCP/IP even if your machine is not connected to any
76 other computer. You will get the so-called loopback device which
77 allows you to ping yourself (great fun, that!).
78
79 For an excellent introduction to Linux networking, please read the
80 Linux Networking HOWTO, available from
81 <http://www.tldp.org/docs.html
82
83 If you say Y here and also to "/proc file system support" and
84 "Sysctl support" below, you can change various aspects of the
85 behavior of the TCP/IP code by writing to the (virtual) files in
86 /proc/sys/net/ipv4/*; the options are explained in the file
87 <file:Documentation/networking/ip-sysctl.txt>.
88
89 Short answer: say Y.
90
91if INET
92source "net/ipv4/Kconfig"
93source "net/ipv6/Kconfig"
94source "net/netlabel/Kconfig"
95
96endif
97
98config NETWORK_SECMARK
99 bool "Security Marking"
100 help
101 This enables security marking of network packets, similar
102 to nfmark, but designated for security purposes.
103 If you are unsure how to answer this question, answer N.
104
105config NET_PTP_CLASSIFY
106 def_bool n
107
108config NETWORK_PHY_TIMESTAMPING
109 bool "Timestamping in PHY devices"
110 select NET_PTP_CLASSIFY
111 help
112 This allows timestamping of network packets by PHYs with
113 hardware timestamping capabilities. This option adds some
114 overhead in the transmit and receive paths.
115
116 If you are unsure how to answer this question, answer N.
117
118menuconfig NETFILTER
119 bool "Network packet filtering framework (Netfilter)"
120 ---help---
121 Netfilter is a framework for filtering and mangling network packets
122 that pass through your Linux box.
123
124 The most common use of packet filtering is to run your Linux box as
125 a firewall protecting a local network from the Internet. The type of
126 firewall provided by this kernel support is called a "packet
127 filter", which means that it can reject individual network packets
128 based on type, source, destination etc. The other kind of firewall,
129 a "proxy-based" one, is more secure but more intrusive and more
130 bothersome to set up; it inspects the network traffic much more
131 closely, modifies it and has knowledge about the higher level
132 protocols, which a packet filter lacks. Moreover, proxy-based
133 firewalls often require changes to the programs running on the local
134 clients. Proxy-based firewalls don't need support by the kernel, but
135 they are often combined with a packet filter, which only works if
136 you say Y here.
137
138 You should also say Y here if you intend to use your Linux box as
139 the gateway to the Internet for a local network of machines without
140 globally valid IP addresses. This is called "masquerading": if one
141 of the computers on your local network wants to send something to
142 the outside, your box can "masquerade" as that computer, i.e. it
143 forwards the traffic to the intended outside destination, but
144 modifies the packets to make it look like they came from the
145 firewall box itself. It works both ways: if the outside host
146 replies, the Linux box will silently forward the traffic to the
147 correct local computer. This way, the computers on your local net
148 are completely invisible to the outside world, even though they can
149 reach the outside and can receive replies. It is even possible to
150 run globally visible servers from within a masqueraded local network
151 using a mechanism called portforwarding. Masquerading is also often
152 called NAT (Network Address Translation).
153
154 Another use of Netfilter is in transparent proxying: if a machine on
155 the local network tries to connect to an outside host, your Linux
156 box can transparently forward the traffic to a local server,
157 typically a caching proxy server.
158
159 Yet another use of Netfilter is building a bridging firewall. Using
160 a bridge with Network packet filtering enabled makes iptables "see"
161 the bridged traffic. For filtering on the lower network and Ethernet
162 protocols over the bridge, use ebtables (under bridge netfilter
163 configuration).
164
165 Various modules exist for netfilter which replace the previous
166 masquerading (ipmasqadm), packet filtering (ipchains), transparent
167 proxying, and portforwarding mechanisms. Please see
168 <file:Documentation/Changes> under "iptables" for the location of
169 these packages.
170
171if NETFILTER
172
173config NETFILTER_ADVANCED
174 bool "Advanced netfilter configuration"
175 depends on NETFILTER
176 default y
177 help
178 If you say Y here you can select between all the netfilter modules.
179 If you say N the more unusual ones will not be shown and the
180 basic ones needed by most people will default to 'M'.
181
182 If unsure, say Y.
183
184config BRIDGE_NETFILTER
185 tristate "Bridged IP/ARP packets filtering"
186 depends on BRIDGE
187 depends on NETFILTER && INET
188 depends on NETFILTER_ADVANCED
189 select NETFILTER_FAMILY_BRIDGE
190 default m
191 ---help---
192 Enabling this option will let arptables resp. iptables see bridged
193 ARP resp. IP traffic. If you want a bridging firewall, you probably
194 want this option enabled.
195 Enabling or disabling this option doesn't enable or disable
196 ebtables.
197
198 If unsure, say N.
199
200source "net/netfilter/Kconfig"
201source "net/ipv4/netfilter/Kconfig"
202source "net/ipv6/netfilter/Kconfig"
203source "net/decnet/netfilter/Kconfig"
204source "net/bridge/netfilter/Kconfig"
205
206endif
207
208source "net/bpfilter/Kconfig"
209
210source "net/dccp/Kconfig"
211source "net/sctp/Kconfig"
212source "net/rds/Kconfig"
213source "net/tipc/Kconfig"
214source "net/atm/Kconfig"
215source "net/l2tp/Kconfig"
216source "net/802/Kconfig"
217source "net/bridge/Kconfig"
218source "net/dsa/Kconfig"
219source "net/8021q/Kconfig"
220source "net/decnet/Kconfig"
221source "net/llc/Kconfig"
222source "drivers/net/appletalk/Kconfig"
223source "net/x25/Kconfig"
224source "net/lapb/Kconfig"
225source "net/phonet/Kconfig"
226source "net/6lowpan/Kconfig"
227source "net/ieee802154/Kconfig"
228source "net/mac802154/Kconfig"
229source "net/sched/Kconfig"
230source "net/dcb/Kconfig"
231source "net/dns_resolver/Kconfig"
232source "net/batman-adv/Kconfig"
233source "net/openvswitch/Kconfig"
234source "net/vmw_vsock/Kconfig"
235source "net/netlink/Kconfig"
236source "net/mpls/Kconfig"
237source "net/nsh/Kconfig"
238source "net/hsr/Kconfig"
239source "net/switchdev/Kconfig"
240source "net/l3mdev/Kconfig"
241source "net/qrtr/Kconfig"
242source "net/ncsi/Kconfig"
243
244config RPS
245 bool
246 depends on SMP && SYSFS
247 default y
248
249config RFS_ACCEL
250 bool
251 depends on RPS
252 select CPU_RMAP
253 default y
254
255config XPS
256 bool
257 depends on SMP
258 default y
259
260config HWBM
261 bool
262
263config CGROUP_NET_PRIO
264 bool "Network priority cgroup"
265 depends on CGROUPS
266 select SOCK_CGROUP_DATA
267 ---help---
268 Cgroup subsystem for use in assigning processes to network priorities on
269 a per-interface basis.
270
271config CGROUP_NET_CLASSID
272 bool "Network classid cgroup"
273 depends on CGROUPS
274 select SOCK_CGROUP_DATA
275 ---help---
276 Cgroup subsystem for use as general purpose socket classid marker that is
277 being used in cls_cgroup and for netfilter matching.
278
279config NET_RX_BUSY_POLL
280 bool
281 default y
282
283config BQL
284 bool
285 depends on SYSFS
286 select DQL
287 default y
288
289config BPF_JIT
290 bool "enable BPF Just In Time compiler"
291 depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
292 depends on MODULES
293 ---help---
294 Berkeley Packet Filter filtering capabilities are normally handled
295 by an interpreter. This option allows kernel to generate a native
296 code when filter is loaded in memory. This should speedup
297 packet sniffing (libpcap/tcpdump).
298
299 Note, admin should enable this feature changing:
300 /proc/sys/net/core/bpf_jit_enable
301 /proc/sys/net/core/bpf_jit_harden (optional)
302 /proc/sys/net/core/bpf_jit_kallsyms (optional)
303
304config BPF_STREAM_PARSER
305 bool "enable BPF STREAM_PARSER"
306 depends on INET
307 depends on BPF_SYSCALL
308 depends on CGROUP_BPF
309 select STREAM_PARSER
310 select NET_SOCK_MSG
311 ---help---
312 Enabling this allows a stream parser to be used with
313 BPF_MAP_TYPE_SOCKMAP.
314
315 BPF_MAP_TYPE_SOCKMAP provides a map type to use with network sockets.
316 It can be used to enforce socket policy, implement socket redirects,
317 etc.
318
319config NET_FLOW_LIMIT
320 bool
321 depends on RPS
322 default y
323 ---help---
324 The network stack has to drop packets when a receive processing CPU's
325 backlog reaches netdev_max_backlog. If a few out of many active flows
326 generate the vast majority of load, drop their traffic earlier to
327 maintain capacity for the other flows. This feature provides servers
328 with many clients some protection against DoS by a single (spoofed)
329 flow that greatly exceeds average workload.
330
331menu "Network testing"
332
333config NET_PKTGEN
334 tristate "Packet Generator (USE WITH CAUTION)"
335 depends on INET && PROC_FS
336 ---help---
337 This module will inject preconfigured packets, at a configurable
338 rate, out of a given interface. It is used for network interface
339 stress testing and performance analysis. If you don't understand
340 what was just said, you don't need it: say N.
341
342 Documentation on how to use the packet generator can be found
343 at <file:Documentation/networking/pktgen.txt>.
344
345 To compile this code as a module, choose M here: the
346 module will be called pktgen.
347
348config NET_DROP_MONITOR
349 tristate "Network packet drop alerting service"
350 depends on INET && TRACEPOINTS
351 ---help---
352 This feature provides an alerting service to userspace in the
353 event that packets are discarded in the network stack. Alerts
354 are broadcast via netlink socket to any listening user space
355 process. If you don't need network drop alerts, or if you are ok
356 just checking the various proc files and other utilities for
357 drop statistics, say N here.
358
359endmenu
360
361endmenu
362
363source "net/ax25/Kconfig"
364source "net/can/Kconfig"
365source "net/bluetooth/Kconfig"
366source "net/rxrpc/Kconfig"
367source "net/kcm/Kconfig"
368source "net/strparser/Kconfig"
369
370config FIB_RULES
371 bool
372
373menuconfig WIRELESS
374 bool "Wireless"
375 depends on !S390
376 default y
377
378if WIRELESS
379
380source "net/wireless/Kconfig"
381source "net/mac80211/Kconfig"
382
383endif
384
385source "net/wimax/Kconfig"
386
387source "net/rfkill/Kconfig"
388source "net/9p/Kconfig"
389source "net/caif/Kconfig"
390source "net/ceph/Kconfig"
391source "net/nfc/Kconfig"
392source "net/psample/Kconfig"
393source "net/ife/Kconfig"
394
395config LWTUNNEL
396 bool "Network light weight tunnels"
397 ---help---
398 This feature provides an infrastructure to support light weight
399 tunnels like mpls. There is no netdevice associated with a light
400 weight tunnel endpoint. Tunnel encapsulation parameters are stored
401 with light weight tunnel state associated with fib routes.
402
403config LWTUNNEL_BPF
404 bool "Execute BPF program as route nexthop action"
405 depends on LWTUNNEL && INET
406 default y if LWTUNNEL=y
407 ---help---
408 Allows to run BPF programs as a nexthop action following a route
409 lookup for incoming and outgoing packets.
410
411config DST_CACHE
412 bool
413 default n
414
415config GRO_CELLS
416 bool
417 default n
418
419config SOCK_VALIDATE_XMIT
420 bool
421
422config NET_SOCK_MSG
423 bool
424 default n
425 help
426 The NET_SOCK_MSG provides a framework for plain sockets (e.g. TCP) or
427 ULPs (upper layer modules, e.g. TLS) to process L7 application data
428 with the help of BPF programs.
429
430config NET_DEVLINK
431 bool
432 default n
433
434config PAGE_POOL
435 bool
436
437config FAILOVER
438 tristate "Generic failover module"
439 help
440 The failover module provides a generic interface for paravirtual
441 drivers to register a netdev and a set of ops with a failover
442 instance. The ops are used as event handlers that get called to
443 handle netdev register/unregister/link change/name change events
444 on slave pci ethernet devices with the same mac address as the
445 failover netdev. This enables paravirtual drivers to use a
446 VF as an accelerated low latency datapath. It also allows live
447 migration of VMs with direct attached VFs by failing over to the
448 paravirtual datapath when the VF is unplugged.
449
450endif
451
452
453
454
455
456
457config HAVE_CBPF_JIT
458 bool
459
460
461config HAVE_EBPF_JIT
462 bool
463
