1
2
3
4
5menuconfig NET
6 bool "Networking support"
7 select NLATTR
8 select GENERIC_NET_UTILS
9 select BPF
10 ---help---
11 Unless you really know what you are doing, you should say Y here.
12 The reason is that some programs need kernel networking support even
13 when running on a stand-alone machine that isn't connected to any
14 other computer.
15
16 If you are upgrading from an older kernel, you
17 should consider updating your networking tools too because changes
18 in the kernel and the tools often go hand in hand. The tools are
19 contained in the package net-tools, the location and version number
20 of which are given in <file:Documentation/Changes>.
21
22 For a general introduction to Linux networking, it is highly
23 recommended to read the NET-HOWTO, available from
24 <http://www.tldp.org/docs.html
25
26if NET
27
28config WANT_COMPAT_NETLINK_MESSAGES
29 bool
30 help
31 This option can be selected by other options that need compat
32 netlink messages.
33
34config COMPAT_NETLINK_MESSAGES
35 def_bool y
36 depends on COMPAT
37 depends on WEXT_CORE || WANT_COMPAT_NETLINK_MESSAGES
38 help
39 This option makes it possible to send different netlink messages
40 to tasks depending on whether the task is a compat task or not. To
41 achieve this, you need to set skb_shinfo(skb)->frag_list to the
42 compat skb before sending the skb, the netlink code will sort out
43 which message to actually pass to the task.
44
45 Newly written code should NEVER need this option but do
46 compat-independent messages instead!
47
48config NET_INGRESS
49 bool
50
51config NET_EGRESS
52 bool
53
54config NET_REDIRECT
55 bool
56
57config SKB_EXTENSIONS
58 bool
59
60menu "Networking options"
61
62source "net/packet/Kconfig"
63source "net/unix/Kconfig"
64source "net/tls/Kconfig"
65source "net/xfrm/Kconfig"
66source "net/iucv/Kconfig"
67source "net/smc/Kconfig"
68source "net/xdp/Kconfig"
69
70config INET
71 bool "TCP/IP networking"
72 select CRYPTO
73 select CRYPTO_AES
74 ---help---
75 These are the protocols used on the Internet and on most local
76 Ethernets. It is highly recommended to say Y here (this will enlarge
77 your kernel by about 400 KB), since some programs (e.g. the X window
78 system) use TCP/IP even if your machine is not connected to any
79 other computer. You will get the so-called loopback device which
80 allows you to ping yourself (great fun, that!).
81
82 For an excellent introduction to Linux networking, please read the
83 Linux Networking HOWTO, available from
84 <http://www.tldp.org/docs.html
85
86 If you say Y here and also to "/proc file system support" and
87 "Sysctl support" below, you can change various aspects of the
88 behavior of the TCP/IP code by writing to the (virtual) files in
89 /proc/sys/net/ipv4/*; the options are explained in the file
90 <file:Documentation/networking/ip-sysctl.txt>.
91
92 Short answer: say Y.
93
94if INET
95source "net/ipv4/Kconfig"
96source "net/ipv6/Kconfig"
97source "net/netlabel/Kconfig"
98source "net/mptcp/Kconfig"
99
100endif
101
102config NETWORK_SECMARK
103 bool "Security Marking"
104 help
105 This enables security marking of network packets, similar
106 to nfmark, but designated for security purposes.
107 If you are unsure how to answer this question, answer N.
108
109config NET_PTP_CLASSIFY
110 def_bool n
111
112config NETWORK_PHY_TIMESTAMPING
113 bool "Timestamping in PHY devices"
114 select NET_PTP_CLASSIFY
115 help
116 This allows timestamping of network packets by PHYs (or
117 other MII bus snooping devices) with hardware timestamping
118 capabilities. This option adds some overhead in the transmit
119 and receive paths.
120
121 If you are unsure how to answer this question, answer N.
122
123menuconfig NETFILTER
124 bool "Network packet filtering framework (Netfilter)"
125 ---help---
126 Netfilter is a framework for filtering and mangling network packets
127 that pass through your Linux box.
128
129 The most common use of packet filtering is to run your Linux box as
130 a firewall protecting a local network from the Internet. The type of
131 firewall provided by this kernel support is called a "packet
132 filter", which means that it can reject individual network packets
133 based on type, source, destination etc. The other kind of firewall,
134 a "proxy-based" one, is more secure but more intrusive and more
135 bothersome to set up; it inspects the network traffic much more
136 closely, modifies it and has knowledge about the higher level
137 protocols, which a packet filter lacks. Moreover, proxy-based
138 firewalls often require changes to the programs running on the local
139 clients. Proxy-based firewalls don't need support by the kernel, but
140 they are often combined with a packet filter, which only works if
141 you say Y here.
142
143 You should also say Y here if you intend to use your Linux box as
144 the gateway to the Internet for a local network of machines without
145 globally valid IP addresses. This is called "masquerading": if one
146 of the computers on your local network wants to send something to
147 the outside, your box can "masquerade" as that computer, i.e. it
148 forwards the traffic to the intended outside destination, but
149 modifies the packets to make it look like they came from the
150 firewall box itself. It works both ways: if the outside host
151 replies, the Linux box will silently forward the traffic to the
152 correct local computer. This way, the computers on your local net
153 are completely invisible to the outside world, even though they can
154 reach the outside and can receive replies. It is even possible to
155 run globally visible servers from within a masqueraded local network
156 using a mechanism called portforwarding. Masquerading is also often
157 called NAT (Network Address Translation).
158
159 Another use of Netfilter is in transparent proxying: if a machine on
160 the local network tries to connect to an outside host, your Linux
161 box can transparently forward the traffic to a local server,
162 typically a caching proxy server.
163
164 Yet another use of Netfilter is building a bridging firewall. Using
165 a bridge with Network packet filtering enabled makes iptables "see"
166 the bridged traffic. For filtering on the lower network and Ethernet
167 protocols over the bridge, use ebtables (under bridge netfilter
168 configuration).
169
170 Various modules exist for netfilter which replace the previous
171 masquerading (ipmasqadm), packet filtering (ipchains), transparent
172 proxying, and portforwarding mechanisms. Please see
173 <file:Documentation/Changes> under "iptables" for the location of
174 these packages.
175
176if NETFILTER
177
178config NETFILTER_ADVANCED
179 bool "Advanced netfilter configuration"
180 depends on NETFILTER
181 default y
182 help
183 If you say Y here you can select between all the netfilter modules.
184 If you say N the more unusual ones will not be shown and the
185 basic ones needed by most people will default to 'M'.
186
187 If unsure, say Y.
188
189config BRIDGE_NETFILTER
190 tristate "Bridged IP/ARP packets filtering"
191 depends on BRIDGE
192 depends on NETFILTER && INET
193 depends on NETFILTER_ADVANCED
194 select NETFILTER_FAMILY_BRIDGE
195 default m
196 ---help---
197 Enabling this option will let arptables resp. iptables see bridged
198 ARP resp. IP traffic. If you want a bridging firewall, you probably
199 want this option enabled.
200 Enabling or disabling this option doesn't enable or disable
201 ebtables.
202
203 If unsure, say N.
204
205source "net/netfilter/Kconfig"
206source "net/ipv4/netfilter/Kconfig"
207source "net/ipv6/netfilter/Kconfig"
208source "net/decnet/netfilter/Kconfig"
209source "net/bridge/netfilter/Kconfig"
210
211endif
212
213source "net/bpfilter/Kconfig"
214
215source "net/dccp/Kconfig"
216source "net/sctp/Kconfig"
217source "net/rds/Kconfig"
218source "net/tipc/Kconfig"
219source "net/atm/Kconfig"
220source "net/l2tp/Kconfig"
221source "net/802/Kconfig"
222source "net/bridge/Kconfig"
223source "net/dsa/Kconfig"
224source "net/8021q/Kconfig"
225source "net/decnet/Kconfig"
226source "net/llc/Kconfig"
227source "drivers/net/appletalk/Kconfig"
228source "net/x25/Kconfig"
229source "net/lapb/Kconfig"
230source "net/phonet/Kconfig"
231source "net/6lowpan/Kconfig"
232source "net/ieee802154/Kconfig"
233source "net/mac802154/Kconfig"
234source "net/sched/Kconfig"
235source "net/dcb/Kconfig"
236source "net/dns_resolver/Kconfig"
237source "net/batman-adv/Kconfig"
238source "net/openvswitch/Kconfig"
239source "net/vmw_vsock/Kconfig"
240source "net/netlink/Kconfig"
241source "net/mpls/Kconfig"
242source "net/nsh/Kconfig"
243source "net/hsr/Kconfig"
244source "net/switchdev/Kconfig"
245source "net/l3mdev/Kconfig"
246source "net/qrtr/Kconfig"
247source "net/ncsi/Kconfig"
248
249config RPS
250 bool
251 depends on SMP && SYSFS
252 default y
253
254config RFS_ACCEL
255 bool
256 depends on RPS
257 select CPU_RMAP
258 default y
259
260config XPS
261 bool
262 depends on SMP
263 default y
264
265config HWBM
266 bool
267
268config CGROUP_NET_PRIO
269 bool "Network priority cgroup"
270 depends on CGROUPS
271 select SOCK_CGROUP_DATA
272 ---help---
273 Cgroup subsystem for use in assigning processes to network priorities on
274 a per-interface basis.
275
276config CGROUP_NET_CLASSID
277 bool "Network classid cgroup"
278 depends on CGROUPS
279 select SOCK_CGROUP_DATA
280 ---help---
281 Cgroup subsystem for use as general purpose socket classid marker that is
282 being used in cls_cgroup and for netfilter matching.
283
284config NET_RX_BUSY_POLL
285 bool
286 default y
287
288config BQL
289 bool
290 depends on SYSFS
291 select DQL
292 default y
293
294config BPF_JIT
295 bool "enable BPF Just In Time compiler"
296 depends on HAVE_CBPF_JIT || HAVE_EBPF_JIT
297 depends on MODULES
298 ---help---
299 Berkeley Packet Filter filtering capabilities are normally handled
300 by an interpreter. This option allows kernel to generate a native
301 code when filter is loaded in memory. This should speedup
302 packet sniffing (libpcap/tcpdump).
303
304 Note, admin should enable this feature changing:
305 /proc/sys/net/core/bpf_jit_enable
306 /proc/sys/net/core/bpf_jit_harden (optional)
307 /proc/sys/net/core/bpf_jit_kallsyms (optional)
308
309config BPF_STREAM_PARSER
310 bool "enable BPF STREAM_PARSER"
311 depends on INET
312 depends on BPF_SYSCALL
313 depends on CGROUP_BPF
314 select STREAM_PARSER
315 select NET_SOCK_MSG
316 ---help---
317 Enabling this allows a stream parser to be used with
318 BPF_MAP_TYPE_SOCKMAP.
319
320 BPF_MAP_TYPE_SOCKMAP provides a map type to use with network sockets.
321 It can be used to enforce socket policy, implement socket redirects,
322 etc.
323
324config NET_FLOW_LIMIT
325 bool
326 depends on RPS
327 default y
328 ---help---
329 The network stack has to drop packets when a receive processing CPU's
330 backlog reaches netdev_max_backlog. If a few out of many active flows
331 generate the vast majority of load, drop their traffic earlier to
332 maintain capacity for the other flows. This feature provides servers
333 with many clients some protection against DoS by a single (spoofed)
334 flow that greatly exceeds average workload.
335
336menu "Network testing"
337
338config NET_PKTGEN
339 tristate "Packet Generator (USE WITH CAUTION)"
340 depends on INET && PROC_FS
341 ---help---
342 This module will inject preconfigured packets, at a configurable
343 rate, out of a given interface. It is used for network interface
344 stress testing and performance analysis. If you don't understand
345 what was just said, you don't need it: say N.
346
347 Documentation on how to use the packet generator can be found
348 at <file:Documentation/networking/pktgen.txt>.
349
350 To compile this code as a module, choose M here: the
351 module will be called pktgen.
352
353config NET_DROP_MONITOR
354 tristate "Network packet drop alerting service"
355 depends on INET && TRACEPOINTS
356 ---help---
357 This feature provides an alerting service to userspace in the
358 event that packets are discarded in the network stack. Alerts
359 are broadcast via netlink socket to any listening user space
360 process. If you don't need network drop alerts, or if you are ok
361 just checking the various proc files and other utilities for
362 drop statistics, say N here.
363
364endmenu
365
366endmenu
367
368source "net/ax25/Kconfig"
369source "net/can/Kconfig"
370source "net/bluetooth/Kconfig"
371source "net/rxrpc/Kconfig"
372source "net/kcm/Kconfig"
373source "net/strparser/Kconfig"
374
375config FIB_RULES
376 bool
377
378menuconfig WIRELESS
379 bool "Wireless"
380 depends on !S390
381 default y
382
383if WIRELESS
384
385source "net/wireless/Kconfig"
386source "net/mac80211/Kconfig"
387
388endif
389
390source "net/wimax/Kconfig"
391
392source "net/rfkill/Kconfig"
393source "net/9p/Kconfig"
394source "net/caif/Kconfig"
395source "net/ceph/Kconfig"
396source "net/nfc/Kconfig"
397source "net/psample/Kconfig"
398source "net/ife/Kconfig"
399
400config LWTUNNEL
401 bool "Network light weight tunnels"
402 ---help---
403 This feature provides an infrastructure to support light weight
404 tunnels like mpls. There is no netdevice associated with a light
405 weight tunnel endpoint. Tunnel encapsulation parameters are stored
406 with light weight tunnel state associated with fib routes.
407
408config LWTUNNEL_BPF
409 bool "Execute BPF program as route nexthop action"
410 depends on LWTUNNEL && INET
411 default y if LWTUNNEL=y
412 ---help---
413 Allows to run BPF programs as a nexthop action following a route
414 lookup for incoming and outgoing packets.
415
416config DST_CACHE
417 bool
418 default n
419
420config GRO_CELLS
421 bool
422 default n
423
424config SOCK_VALIDATE_XMIT
425 bool
426
427config NET_SOCK_MSG
428 bool
429 default n
430 help
431 The NET_SOCK_MSG provides a framework for plain sockets (e.g. TCP) or
432 ULPs (upper layer modules, e.g. TLS) to process L7 application data
433 with the help of BPF programs.
434
435config NET_DEVLINK
436 bool
437 default n
438 imply NET_DROP_MONITOR
439
440config PAGE_POOL
441 bool
442
443config FAILOVER
444 tristate "Generic failover module"
445 help
446 The failover module provides a generic interface for paravirtual
447 drivers to register a netdev and a set of ops with a failover
448 instance. The ops are used as event handlers that get called to
449 handle netdev register/unregister/link change/name change events
450 on slave pci ethernet devices with the same mac address as the
451 failover netdev. This enables paravirtual drivers to use a
452 VF as an accelerated low latency datapath. It also allows live
453 migration of VMs with direct attached VFs by failing over to the
454 paravirtual datapath when the VF is unplugged.
455
456endif
457
458
459
460
461
462
463config HAVE_CBPF_JIT
464 bool
465
466
467config HAVE_EBPF_JIT
468 bool
469
