5 prompt "Choose IP: FIB lookup""
12 Current FIB is very proven and good enough for most users.
17 Use new experimental LC-trie as FIB lookup algoritm.
18 This improves lookup performance
20 LC-trie is described in:
22 IP-address lookup using LC-tries. Stefan Nilsson and Gunnar Karlsson
23 IEEE Journal on Selected Areas in Communications, 17(6):1083-1092, June 1999
24 An experimental study of compression methods for dynamic tries
25 Stefan Nilsson and Matti Tikkanen. Algorithmica, 33(1):19-33, 2002.
26 http://www.nada.kth.se/~snilsson/public/papers/dyntrie2/
31 bool "IP: multicasting"
34 This is code for addressing several networked computers at once,
35 enlarging your kernel by about 2 KB. You need multicasting if you
36 intend to participate in the MBONE, a high bandwidth network on top
37 of the Internet which carries audio and video broadcasts. More
38 information about the MBONE is on the WWW at
39 <http://www-itg.lbl.gov/mbone/>. Information about the multicast
40 capabilities of the various network cards is contained in
41 <file:Documentation/networking/multicast.txt>. For most people, it's
44 config IP_ADVANCED_ROUTER
45 bool "IP: advanced router"
48 If you intend to run your Linux box mostly as a router, i.e. as a
49 computer that forwards and redistributes network packets, say Y; you
50 will then be presented with several options that allow more precise
51 control about the routing process.
53 The answer to this question won't directly affect the kernel:
54 answering N will just cause the configurator to skip all the
55 questions about advanced routing.
57 Note that your box can only act as a router if you enable IP
58 forwarding in your kernel; you can do that by saying Y to "/proc
59 file system support" and "Sysctl support" below and executing the
62 echo "1" > /proc/sys/net/ipv4/ip_forward
64 at boot time after the /proc file system has been mounted.
66 If you turn on IP forwarding, you will also get the rp_filter, which
67 automatically rejects incoming packets if the routing table entry
68 for their source address doesn't match the network interface they're
69 arriving on. This has security advantages because it prevents the
70 so-called IP spoofing, however it can pose problems if you use
71 asymmetric routing (packets from you to a host take a different path
72 than packets from that host to you) or if you operate a non-routing
73 host which has several IP addresses on different interfaces. To turn
76 echo 0 > /proc/sys/net/ipv4/conf/<device>/rp_filter
78 echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
80 If unsure, say N here.
82 config IP_MULTIPLE_TABLES
83 bool "IP: policy routing"
84 depends on IP_ADVANCED_ROUTER
86 Normally, a router decides what to do with a received packet based
87 solely on the packet's final destination address. If you say Y here,
88 the Linux router will also be able to take the packet's source
89 address into account. Furthermore, the TOS (Type-Of-Service) field
90 of the packet can be used for routing decisions as well.
92 If you are interested in this, please see the preliminary
93 documentation at <http://www.compendium.com.ar/policy-routing.txt>
94 and <ftp://post.tepkom.ru/pub/vol2/Linux/docs/advanced-routing.tex>.
95 You will need supporting software from
96 <ftp://ftp.tux.org/pub/net/ip-routing/>.
100 config IP_ROUTE_FWMARK
101 bool "IP: use netfilter MARK value as routing key"
102 depends on IP_MULTIPLE_TABLES && NETFILTER
104 If you say Y here, you will be able to specify different routes for
105 packets with different mark values (see iptables(8), MARK target).
107 config IP_ROUTE_MULTIPATH
108 bool "IP: equal cost multipath"
109 depends on IP_ADVANCED_ROUTER
111 Normally, the routing tables specify a single action to be taken in
112 a deterministic manner for a given packet. If you say Y here
113 however, it becomes possible to attach several actions to a packet
114 pattern, in effect specifying several alternative paths to travel
115 for those packets. The router considers all these paths to be of
116 equal "cost" and chooses one of them in a non-deterministic fashion
117 if a matching packet arrives.
119 config IP_ROUTE_MULTIPATH_CACHED
120 bool "IP: equal cost multipath with caching support (EXPERIMENTAL)"
121 depends on: IP_ROUTE_MULTIPATH
123 Normally, equal cost multipath routing is not supported by the
124 routing cache. If you say Y here, alternative routes are cached
125 and on cache lookup a route is chosen in a configurable fashion.
129 config IP_ROUTE_MULTIPATH_RR
130 tristate "MULTIPATH: round robin algorithm"
131 depends on IP_ROUTE_MULTIPATH_CACHED
133 Mulitpath routes are chosen according to Round Robin
135 config IP_ROUTE_MULTIPATH_RANDOM
136 tristate "MULTIPATH: random algorithm"
137 depends on IP_ROUTE_MULTIPATH_CACHED
139 Multipath routes are chosen in a random fashion. Actually,
140 there is no weight for a route. The advantage of this policy
141 is that it is implemented stateless and therefore introduces only
144 config IP_ROUTE_MULTIPATH_WRANDOM
145 tristate "MULTIPATH: weighted random algorithm"
146 depends on IP_ROUTE_MULTIPATH_CACHED
148 Multipath routes are chosen in a weighted random fashion.
149 The per route weights are the weights visible via ip route 2. As the
150 corresponding state management introduces some overhead routing delay
153 config IP_ROUTE_MULTIPATH_DRR
154 tristate "MULTIPATH: interface round robin algorithm"
155 depends on IP_ROUTE_MULTIPATH_CACHED
157 Connections are distributed in a round robin fashion over the
158 available interfaces. This policy makes sense if the connections
159 should be primarily distributed on interfaces and not on routes.
161 config IP_ROUTE_VERBOSE
162 bool "IP: verbose route monitoring"
163 depends on IP_ADVANCED_ROUTER
165 If you say Y here, which is recommended, then the kernel will print
166 verbose messages regarding the routing, for example warnings about
167 received packets which look strange and could be evidence of an
168 attack or a misconfigured system somewhere. The information is
169 handled by the klogd daemon which is responsible for kernel messages
173 bool "IP: kernel level autoconfiguration"
176 This enables automatic configuration of IP addresses of devices and
177 of the routing table during kernel boot, based on either information
178 supplied on the kernel command line or by BOOTP or RARP protocols.
179 You need to say Y only for diskless machines requiring network
180 access to boot (in which case you want to say Y to "Root file system
181 on NFS" as well), because all other machines configure the network
182 in their startup scripts.
185 bool "IP: DHCP support"
188 If you want your Linux box to mount its whole root file system (the
189 one containing the directory /) from some other computer over the
190 net via NFS and you want the IP address of your computer to be
191 discovered automatically at boot time using the DHCP protocol (a
192 special protocol designed for doing this job), say Y here. In case
193 the boot ROM of your network card was designed for booting Linux and
194 does DHCP itself, providing all necessary information on the kernel
195 command line, you can say N here.
197 If unsure, say Y. Note that if you want to use DHCP, a DHCP server
198 must be operating on your network. Read
199 <file:Documentation/nfsroot.txt> for details.
202 bool "IP: BOOTP support"
205 If you want your Linux box to mount its whole root file system (the
206 one containing the directory /) from some other computer over the
207 net via NFS and you want the IP address of your computer to be
208 discovered automatically at boot time using the BOOTP protocol (a
209 special protocol designed for doing this job), say Y here. In case
210 the boot ROM of your network card was designed for booting Linux and
211 does BOOTP itself, providing all necessary information on the kernel
212 command line, you can say N here. If unsure, say Y. Note that if you
213 want to use BOOTP, a BOOTP server must be operating on your network.
214 Read <file:Documentation/nfsroot.txt> for details.
217 bool "IP: RARP support"
220 If you want your Linux box to mount its whole root file system (the
221 one containing the directory /) from some other computer over the
222 net via NFS and you want the IP address of your computer to be
223 discovered automatically at boot time using the RARP protocol (an
224 older protocol which is being obsoleted by BOOTP and DHCP), say Y
225 here. Note that if you want to use RARP, a RARP server must be
226 operating on your network. Read <file:Documentation/nfsroot.txt> for
230 # bool ' IP: ARP support' CONFIG_IP_PNP_ARP
232 tristate "IP: tunneling"
236 Tunneling means encapsulating data of one protocol type within
237 another protocol and sending it over a channel that understands the
238 encapsulating protocol. This particular tunneling driver implements
239 encapsulation of IP within IP, which sounds kind of pointless, but
240 can be useful if you want to make your (or some other) machine
241 appear on a different network than it physically is, or to use
242 mobile-IP facilities (allowing laptops to seamlessly move between
243 networks without changing their IP addresses).
245 Saying Y to this option will produce two modules ( = code which can
246 be inserted in and removed from the running kernel whenever you
247 want). Most people won't need this and can say N.
250 tristate "IP: GRE tunnels over IP"
254 Tunneling means encapsulating data of one protocol type within
255 another protocol and sending it over a channel that understands the
256 encapsulating protocol. This particular tunneling driver implements
257 GRE (Generic Routing Encapsulation) and at this time allows
258 encapsulating of IPv4 or IPv6 over existing IPv4 infrastructure.
259 This driver is useful if the other endpoint is a Cisco router: Cisco
260 likes GRE much better than the other Linux tunneling driver ("IP
261 tunneling" above). In addition, GRE allows multicast redistribution
264 config NET_IPGRE_BROADCAST
265 bool "IP: broadcast GRE over IP"
266 depends on IP_MULTICAST && NET_IPGRE
268 One application of GRE/IP is to construct a broadcast WAN (Wide Area
269 Network), which looks like a normal Ethernet LAN (Local Area
270 Network), but can be distributed all over the Internet. If you want
271 to do that, say Y here and to "IP multicast routing" below.
274 bool "IP: multicast routing"
275 depends on IP_MULTICAST
277 This is used if you want your machine to act as a router for IP
278 packets that have several destination addresses. It is needed on the
279 MBONE, a high bandwidth network on top of the Internet which carries
280 audio and video broadcasts. In order to do that, you would most
281 likely run the program mrouted. Information about the multicast
282 capabilities of the various network cards is contained in
283 <file:Documentation/networking/multicast.txt>. If you haven't heard
284 about it, you don't need it.
287 bool "IP: PIM-SM version 1 support"
290 Kernel side support for Sparse Mode PIM (Protocol Independent
291 Multicast) version 1. This multicast routing protocol is used widely
292 because Cisco supports it. You need special software to use it
293 (pimd-v1). Please see <http://netweb.usc.edu/pim/> for more
294 information about PIM.
296 Say Y if you want to use PIM-SM v1. Note that you can say N here if
297 you just want to use Dense Mode PIM.
300 bool "IP: PIM-SM version 2 support"
303 Kernel side support for Sparse Mode PIM version 2. In order to use
304 this, you need an experimental routing daemon supporting it (pimd or
305 gated-5). This routing protocol is not used widely, so say N unless
306 you want to play with it.
309 bool "IP: ARP daemon support (EXPERIMENTAL)"
310 depends on INET && EXPERIMENTAL
312 Normally, the kernel maintains an internal cache which maps IP
313 addresses to hardware addresses on the local network, so that
314 Ethernet/Token Ring/ etc. frames are sent to the proper address on
315 the physical networking layer. For small networks having a few
316 hundred directly connected hosts or less, keeping this address
317 resolution (ARP) cache inside the kernel works well. However,
318 maintaining an internal ARP cache does not work well for very large
319 switched networks, and will use a lot of kernel memory if TCP/IP
320 connections are made to many machines on the network.
322 If you say Y here, the kernel's internal ARP cache will never grow
323 to more than 256 entries (the oldest entries are expired in a LIFO
324 manner) and communication will be attempted with the user space ARP
325 daemon arpd. Arpd then answers the address resolution request either
326 from its own cache or by asking the net.
328 This code is experimental and also obsolete. If you want to use it,
329 you need to find a version of the daemon arpd on the net somewhere,
330 and you should also say Y to "Kernel/User network link driver",
331 below. If unsure, say N.
334 bool "IP: TCP syncookie support (disabled per default)"
337 Normal TCP/IP networking is open to an attack known as "SYN
338 flooding". This denial-of-service attack prevents legitimate remote
339 users from being able to connect to your computer during an ongoing
340 attack and requires very little work from the attacker, who can
341 operate from anywhere on the Internet.
343 SYN cookies provide protection against this type of attack. If you
344 say Y here, the TCP/IP stack will use a cryptographic challenge
345 protocol known as "SYN cookies" to enable legitimate users to
346 continue to connect, even when your machine is under attack. There
347 is no need for the legitimate users to change their TCP/IP software;
348 SYN cookies work transparently to them. For technical information
349 about SYN cookies, check out <http://cr.yp.to/syncookies.html>.
351 If you are SYN flooded, the source address reported by the kernel is
352 likely to have been forged by the attacker; it is only reported as
353 an aid in tracing the packets to their actual source and should not
354 be taken as absolute truth.
356 SYN cookies may prevent correct error reporting on clients when the
357 server is really overloaded. If this happens frequently better turn
360 If you say Y here, note that SYN cookies aren't enabled by default;
361 you can enable them by saying Y to "/proc file system support" and
362 "Sysctl support" below and executing the command
364 echo 1 >/proc/sys/net/ipv4/tcp_syncookies
366 at boot time after the /proc file system has been mounted.
371 tristate "IP: AH transformation"
379 Support for IPsec AH.
384 tristate "IP: ESP transformation"
393 Support for IPsec ESP.
398 tristate "IP: IPComp transformation"
403 select CRYPTO_DEFLATE
405 Support for IP Payload Compression Protocol (IPComp) (RFC3173),
406 typically needed for IPsec.
411 tristate "IP: tunnel transformation"
415 Support for generic IP tunnel transformation, which is required by
416 the IP tunneling module as well as tunnel mode IPComp.
421 tristate "IP: TCP socket monitoring interface"
425 Support for TCP socket monitoring interface used by native Linux
426 tools such as ss. ss is included in iproute2, currently downloadable
427 at <http://developer.osdl.org/dev/iproute2>. If you want IPv6 support
428 and have selected IPv6 as a module, you need to build this as a
433 config IP_TCPDIAG_IPV6
434 def_bool (IP_TCPDIAG=y && IPV6=y) || (IP_TCPDIAG=m && IPV6)
436 source "net/ipv4/ipvs/Kconfig"