mirror of
https://github.com/torvalds/linux
synced 2024-11-05 18:23:50 +00:00
984bc16cc9
Add a secmark field to the skbuff structure, to allow security subsystems to place security markings on network packets. This is similar to the nfmark field, except is intended for implementing security policy, rather than than networking policy. This patch was already acked in principle by Dave Miller. Signed-off-by: James Morris <jmorris@namei.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
254 lines
8.8 KiB
Text
254 lines
8.8 KiB
Text
#
|
|
# Network configuration
|
|
#
|
|
|
|
menu "Networking"
|
|
|
|
config NET
|
|
bool "Networking support"
|
|
---help---
|
|
Unless you really know what you are doing, you should say Y here.
|
|
The reason is that some programs need kernel networking support even
|
|
when running on a stand-alone machine that isn't connected to any
|
|
other computer.
|
|
|
|
If you are upgrading from an older kernel, you
|
|
should consider updating your networking tools too because changes
|
|
in the kernel and the tools often go hand in hand. The tools are
|
|
contained in the package net-tools, the location and version number
|
|
of which are given in <file:Documentation/Changes>.
|
|
|
|
For a general introduction to Linux networking, it is highly
|
|
recommended to read the NET-HOWTO, available from
|
|
<http://www.tldp.org/docs.html#howto>.
|
|
|
|
# Make sure that all config symbols are dependent on NET
|
|
if NET
|
|
|
|
menu "Networking options"
|
|
|
|
config NETDEBUG
|
|
bool "Network packet debugging"
|
|
help
|
|
You can say Y here if you want to get additional messages useful in
|
|
debugging bad packets, but can overwhelm logs under denial of service
|
|
attacks.
|
|
|
|
source "net/packet/Kconfig"
|
|
source "net/unix/Kconfig"
|
|
source "net/xfrm/Kconfig"
|
|
|
|
config INET
|
|
bool "TCP/IP networking"
|
|
---help---
|
|
These are the protocols used on the Internet and on most local
|
|
Ethernets. It is highly recommended to say Y here (this will enlarge
|
|
your kernel by about 144 KB), since some programs (e.g. the X window
|
|
system) use TCP/IP even if your machine is not connected to any
|
|
other computer. You will get the so-called loopback device which
|
|
allows you to ping yourself (great fun, that!).
|
|
|
|
For an excellent introduction to Linux networking, please read the
|
|
Linux Networking HOWTO, available from
|
|
<http://www.tldp.org/docs.html#howto>.
|
|
|
|
If you say Y here and also to "/proc file system support" and
|
|
"Sysctl support" below, you can change various aspects of the
|
|
behavior of the TCP/IP code by writing to the (virtual) files in
|
|
/proc/sys/net/ipv4/*; the options are explained in the file
|
|
<file:Documentation/networking/ip-sysctl.txt>.
|
|
|
|
Short answer: say Y.
|
|
|
|
if INET
|
|
source "net/ipv4/Kconfig"
|
|
source "net/ipv6/Kconfig"
|
|
|
|
endif # if INET
|
|
|
|
config NETWORK_SECMARK
|
|
bool "Security Marking"
|
|
help
|
|
This enables security marking of network packets, similar
|
|
to nfmark, but designated for security purposes.
|
|
If you are unsure how to answer this question, answer N.
|
|
|
|
menuconfig NETFILTER
|
|
bool "Network packet filtering (replaces ipchains)"
|
|
---help---
|
|
Netfilter is a framework for filtering and mangling network packets
|
|
that pass through your Linux box.
|
|
|
|
The most common use of packet filtering is to run your Linux box as
|
|
a firewall protecting a local network from the Internet. The type of
|
|
firewall provided by this kernel support is called a "packet
|
|
filter", which means that it can reject individual network packets
|
|
based on type, source, destination etc. The other kind of firewall,
|
|
a "proxy-based" one, is more secure but more intrusive and more
|
|
bothersome to set up; it inspects the network traffic much more
|
|
closely, modifies it and has knowledge about the higher level
|
|
protocols, which a packet filter lacks. Moreover, proxy-based
|
|
firewalls often require changes to the programs running on the local
|
|
clients. Proxy-based firewalls don't need support by the kernel, but
|
|
they are often combined with a packet filter, which only works if
|
|
you say Y here.
|
|
|
|
You should also say Y here if you intend to use your Linux box as
|
|
the gateway to the Internet for a local network of machines without
|
|
globally valid IP addresses. This is called "masquerading": if one
|
|
of the computers on your local network wants to send something to
|
|
the outside, your box can "masquerade" as that computer, i.e. it
|
|
forwards the traffic to the intended outside destination, but
|
|
modifies the packets to make it look like they came from the
|
|
firewall box itself. It works both ways: if the outside host
|
|
replies, the Linux box will silently forward the traffic to the
|
|
correct local computer. This way, the computers on your local net
|
|
are completely invisible to the outside world, even though they can
|
|
reach the outside and can receive replies. It is even possible to
|
|
run globally visible servers from within a masqueraded local network
|
|
using a mechanism called portforwarding. Masquerading is also often
|
|
called NAT (Network Address Translation).
|
|
|
|
Another use of Netfilter is in transparent proxying: if a machine on
|
|
the local network tries to connect to an outside host, your Linux
|
|
box can transparently forward the traffic to a local server,
|
|
typically a caching proxy server.
|
|
|
|
Yet another use of Netfilter is building a bridging firewall. Using
|
|
a bridge with Network packet filtering enabled makes iptables "see"
|
|
the bridged traffic. For filtering on the lower network and Ethernet
|
|
protocols over the bridge, use ebtables (under bridge netfilter
|
|
configuration).
|
|
|
|
Various modules exist for netfilter which replace the previous
|
|
masquerading (ipmasqadm), packet filtering (ipchains), transparent
|
|
proxying, and portforwarding mechanisms. Please see
|
|
<file:Documentation/Changes> under "iptables" for the location of
|
|
these packages.
|
|
|
|
Make sure to say N to "Fast switching" below if you intend to say Y
|
|
here, as Fast switching currently bypasses netfilter.
|
|
|
|
Chances are that you should say Y here if you compile a kernel which
|
|
will run as a router and N for regular hosts. If unsure, say N.
|
|
|
|
if NETFILTER
|
|
|
|
config NETFILTER_DEBUG
|
|
bool "Network packet filtering debugging"
|
|
depends on NETFILTER
|
|
help
|
|
You can say Y here if you want to get additional messages useful in
|
|
debugging the netfilter code.
|
|
|
|
config BRIDGE_NETFILTER
|
|
bool "Bridged IP/ARP packets filtering"
|
|
depends on BRIDGE && NETFILTER && INET
|
|
default y
|
|
---help---
|
|
Enabling this option will let arptables resp. iptables see bridged
|
|
ARP resp. IP traffic. If you want a bridging firewall, you probably
|
|
want this option enabled.
|
|
Enabling or disabling this option doesn't enable or disable
|
|
ebtables.
|
|
|
|
If unsure, say N.
|
|
|
|
source "net/netfilter/Kconfig"
|
|
source "net/ipv4/netfilter/Kconfig"
|
|
source "net/ipv6/netfilter/Kconfig"
|
|
source "net/decnet/netfilter/Kconfig"
|
|
source "net/bridge/netfilter/Kconfig"
|
|
|
|
endif
|
|
|
|
source "net/dccp/Kconfig"
|
|
source "net/sctp/Kconfig"
|
|
source "net/tipc/Kconfig"
|
|
source "net/atm/Kconfig"
|
|
source "net/bridge/Kconfig"
|
|
source "net/8021q/Kconfig"
|
|
source "net/decnet/Kconfig"
|
|
source "net/llc/Kconfig"
|
|
source "net/ipx/Kconfig"
|
|
source "drivers/net/appletalk/Kconfig"
|
|
source "net/x25/Kconfig"
|
|
source "net/lapb/Kconfig"
|
|
|
|
config NET_DIVERT
|
|
bool "Frame Diverter (EXPERIMENTAL)"
|
|
depends on EXPERIMENTAL
|
|
---help---
|
|
The Frame Diverter allows you to divert packets from the
|
|
network, that are not aimed at the interface receiving it (in
|
|
promisc. mode). Typically, a Linux box setup as an Ethernet bridge
|
|
with the Frames Diverter on, can do some *really* transparent www
|
|
caching using a Squid proxy for example.
|
|
|
|
This is very useful when you don't want to change your router's
|
|
config (or if you simply don't have access to it).
|
|
|
|
The other possible usages of diverting Ethernet Frames are
|
|
numberous:
|
|
- reroute smtp traffic to another interface
|
|
- traffic-shape certain network streams
|
|
- transparently proxy smtp connections
|
|
- etc...
|
|
|
|
For more informations, please refer to:
|
|
<http://diverter.sourceforge.net/>
|
|
<http://perso.wanadoo.fr/magpie/EtherDivert.html>
|
|
|
|
If unsure, say N.
|
|
|
|
source "net/econet/Kconfig"
|
|
source "net/wanrouter/Kconfig"
|
|
source "net/sched/Kconfig"
|
|
|
|
menu "Network testing"
|
|
|
|
config NET_PKTGEN
|
|
tristate "Packet Generator (USE WITH CAUTION)"
|
|
depends on PROC_FS
|
|
---help---
|
|
This module will inject preconfigured packets, at a configurable
|
|
rate, out of a given interface. It is used for network interface
|
|
stress testing and performance analysis. If you don't understand
|
|
what was just said, you don't need it: say N.
|
|
|
|
Documentation on how to use the packet generator can be found
|
|
at <file:Documentation/networking/pktgen.txt>.
|
|
|
|
To compile this code as a module, choose M here: the
|
|
module will be called pktgen.
|
|
|
|
config NET_TCPPROBE
|
|
tristate "TCP connection probing"
|
|
depends on INET && EXPERIMENTAL && PROC_FS && KPROBES
|
|
---help---
|
|
This module allows for capturing the changes to TCP connection
|
|
state in response to incoming packets. It is used for debugging
|
|
TCP congestion avoidance modules. If you don't understand
|
|
what was just said, you don't need it: say N.
|
|
|
|
Documentation on how to use the packet generator can be found
|
|
at http://linux-net.osdl.org/index.php/TcpProbe
|
|
|
|
To compile this code as a module, choose M here: the
|
|
module will be called tcp_probe.
|
|
|
|
endmenu
|
|
|
|
endmenu
|
|
|
|
source "net/ax25/Kconfig"
|
|
source "net/irda/Kconfig"
|
|
source "net/bluetooth/Kconfig"
|
|
source "net/ieee80211/Kconfig"
|
|
|
|
config WIRELESS_EXT
|
|
bool
|
|
|
|
endif # if NET
|
|
endmenu # Networking
|
|
|