2005-04-17 02:20:36 +04:00
#
# IPv6 configuration
2005-07-12 08:13:56 +04:00
#
# IPv6 as module will cause a CRASH if you try to unload it
2008-04-14 10:30:47 +04:00
menuconfig IPV6
2005-07-12 08:13:56 +04:00
tristate "The IPv6 protocol"
2015-07-13 18:48:00 +03:00
default y
2005-07-12 08:13:56 +04:00
---help---
2015-07-13 18:48:00 +03:00
Support for IP version 6 (IPv6).
2005-07-12 08:13:56 +04:00
For general information about IPv6, see
2013-02-22 04:43:05 +04:00
<https://en.wikipedia.org/wiki/IPv6>.
2015-07-13 18:48:00 +03:00
For specific information about IPv6 under Linux, see
Documentation/networking/ipv6.txt and read the HOWTO at
<http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/>
2005-07-12 08:13:56 +04:00
2018-07-24 22:29:18 +03:00
To compile this protocol support as a module, choose M here: the
2005-07-12 08:13:56 +04:00
module will be called ipv6.
2008-04-14 10:30:47 +04:00
if IPV6
2006-03-21 04:04:53 +03:00
config IPV6_ROUTER_PREF
bool "IPv6: Router Preference (RFC 4191) support"
---help---
Router Preference is an optional extension to the Router
2009-01-26 13:12:25 +03:00
Advertisement message which improves the ability of hosts
to pick an appropriate router, especially when the hosts
are placed in a multi-homed network.
2006-03-21 04:04:53 +03:00
If unsure, say N.
2006-03-21 04:06:24 +03:00
config IPV6_ROUTE_INFO
2012-10-02 22:19:49 +04:00
bool "IPv6: Route Information (RFC 4191) support"
depends on IPV6_ROUTER_PREF
2006-03-21 04:06:24 +03:00
---help---
2018-05-07 15:03:18 +03:00
Support of Route Information.
2006-03-21 04:06:24 +03:00
If unsure, say N.
2007-04-26 04:08:10 +04:00
config IPV6_OPTIMISTIC_DAD
2012-10-02 22:19:49 +04:00
bool "IPv6: Enable RFC 4429 Optimistic DAD"
2007-04-26 04:08:10 +04:00
---help---
2018-05-07 15:03:18 +03:00
Support for optimistic Duplicate Address Detection. It allows for
autoconfigured addresses to be used more quickly.
2007-04-26 04:08:10 +04:00
If unsure, say N.
2005-04-17 02:20:36 +04:00
config INET6_AH
tristate "IPv6: AH transformation"
2012-05-15 05:57:44 +04:00
select XFRM_ALGO
2005-04-17 02:20:36 +04:00
select CRYPTO
select CRYPTO_HMAC
select CRYPTO_MD5
select CRYPTO_SHA1
---help---
Support for IPsec AH.
If unsure, say Y.
config INET6_ESP
tristate "IPv6: ESP transformation"
2012-05-15 05:57:44 +04:00
select XFRM_ALGO
2005-04-17 02:20:36 +04:00
select CRYPTO
2008-03-05 01:29:21 +03:00
select CRYPTO_AUTHENC
2005-04-17 02:20:36 +04:00
select CRYPTO_HMAC
select CRYPTO_MD5
2006-07-30 09:41:01 +04:00
select CRYPTO_CBC
2005-04-17 02:20:36 +04:00
select CRYPTO_SHA1
select CRYPTO_DES
2016-01-25 14:58:44 +03:00
select CRYPTO_ECHAINIV
2005-04-17 02:20:36 +04:00
---help---
Support for IPsec ESP.
If unsure, say Y.
2017-02-15 11:40:00 +03:00
config INET6_ESP_OFFLOAD
tristate "IPv6: ESP transformation offload"
depends on INET6_ESP
select XFRM_OFFLOAD
default n
---help---
Support for ESP transformation offload. This makes sense
only if this system really does IPsec and want to do it
with high throughput. A typical desktop system does not
need it, even if it does IPsec.
If unsure, say N.
2005-04-17 02:20:36 +04:00
config INET6_IPCOMP
tristate "IPv6: IPComp transformation"
2006-03-28 13:12:13 +04:00
select INET6_XFRM_TUNNEL
2008-07-25 13:54:40 +04:00
select XFRM_IPCOMP
2005-04-17 02:20:36 +04:00
---help---
Support for IP Payload Compression Protocol (IPComp) (RFC3173),
typically needed for IPsec.
If unsure, say Y.
2006-08-24 06:13:46 +04:00
config IPV6_MIP6
2012-10-02 22:19:49 +04:00
tristate "IPv6: Mobility"
2006-08-24 06:13:46 +04:00
select XFRM
---help---
Support for IPv6 Mobility described in RFC 3775.
If unsure, say N.
2015-08-17 23:42:27 +03:00
config IPV6_ILA
tristate "IPv6: Identifier Locator Addressing (ILA)"
2015-12-18 17:37:37 +03:00
depends on NETFILTER
2018-07-18 11:48:56 +03:00
select DST_CACHE
2015-08-17 23:42:27 +03:00
select LWTUNNEL
---help---
Support for IPv6 Identifier Locator Addressing (ILA).
ILA is a mechanism to do network virtualization without
encapsulation. The basic concept of ILA is that we split an
IPv6 address into a 64 bit locator and 64 bit identifier. The
identifier is the identity of an entity in communication
("who") and the locator expresses the location of the
entity ("where").
ILA can be configured using the "encap ila" option with
"ip -6 route" command. ILA is described in
https://tools.ietf.org/html/draft-herbert-nvo3-ila-00.
If unsure, say N.
2006-03-28 13:12:13 +04:00
config INET6_XFRM_TUNNEL
tristate
select INET6_TUNNEL
default n
2005-04-17 02:20:36 +04:00
config INET6_TUNNEL
2006-03-28 13:12:13 +04:00
tristate
default n
2005-04-17 02:20:36 +04:00
2013-08-19 10:07:34 +04:00
config IPV6_VTI
tristate "Virtual (secure) IPv6: tunneling"
select IPV6_TUNNEL
2014-02-19 16:33:23 +04:00
select NET_IP_TUNNEL
2019-03-29 23:16:31 +03:00
select XFRM
2013-08-19 10:07:34 +04:00
---help---
Tunneling means encapsulating data of one protocol type within
another protocol and sending it over a channel that understands the
encapsulating protocol. This can be used with xfrm mode tunnel to give
the notion of a secure tunnel for IPSEC and then use routing protocol
on top.
2006-10-11 01:47:44 +04:00
config IPV6_SIT
tristate "IPv6: IPv6-in-IPv4 tunnel (SIT driver)"
2007-02-13 23:55:25 +03:00
select INET_TUNNEL
2013-03-25 18:50:00 +04:00
select NET_IP_TUNNEL
2008-03-16 06:59:18 +03:00
select IPV6_NDISC_NODETYPE
2006-10-11 01:47:44 +04:00
default y
---help---
Tunneling means encapsulating data of one protocol type within
another protocol and sending it over a channel that understands the
encapsulating protocol. This driver implements encapsulation of IPv6
2008-04-27 09:50:57 +04:00
into IPv4 packets. This is useful if you want to connect two IPv6
2006-10-11 01:47:44 +04:00
networks over an IPv4-only path.
2009-06-05 02:44:53 +04:00
Saying M here will produce a module called sit. If unsure, say Y.
2006-10-11 01:47:44 +04:00
2009-09-23 03:43:14 +04:00
config IPV6_SIT_6RD
2012-10-02 22:19:49 +04:00
bool "IPv6: IPv6 Rapid Deployment (6RD)"
depends on IPV6_SIT
2009-09-23 03:43:14 +04:00
default n
---help---
IPv6 Rapid Deployment (6rd; draft-ietf-softwire-ipv6-6rd) builds upon
mechanisms of 6to4 (RFC3056) to enable a service provider to rapidly
deploy IPv6 unicast service to IPv4 sites to which it provides
customer premise equipment. Like 6to4, it utilizes stateless IPv6 in
IPv4 encapsulation in order to transit IPv4-only network
infrastructure. Unlike 6to4, a 6rd service provider uses an IPv6
prefix of its own in place of the fixed 6to4 prefix.
With this option enabled, the SIT driver offers 6rd functionality by
providing additional ioctl API to configure the IPv6 Prefix for in
stead of static 2002::/16 for 6to4.
If unsure, say N.
2008-03-16 06:59:18 +03:00
config IPV6_NDISC_NODETYPE
bool
2005-04-17 02:20:36 +04:00
config IPV6_TUNNEL
2008-03-21 02:13:58 +03:00
tristate "IPv6: IP-in-IPv6 tunnel (RFC2473)"
2006-03-28 13:12:13 +04:00
select INET6_TUNNEL
2016-02-12 17:43:54 +03:00
select DST_CACHE
2017-02-08 02:37:15 +03:00
select GRO_CELLS
2005-04-17 02:20:36 +04:00
---help---
2008-03-21 02:13:58 +03:00
Support for IPv6-in-IPv6 and IPv4-in-IPv6 tunnels described in
RFC 2473.
2005-04-17 02:20:36 +04:00
If unsure, say N.
2012-08-10 04:51:50 +04:00
config IPV6_GRE
tristate "IPv6: GRE tunnel"
select IPV6_TUNNEL
2013-03-25 18:50:00 +04:00
select NET_IP_TUNNEL
2016-05-03 18:19:57 +03:00
depends on NET_IPGRE_DEMUX
2012-08-10 04:51:50 +04:00
---help---
Tunneling means encapsulating data of one protocol type within
another protocol and sending it over a channel that understands the
encapsulating protocol. This particular tunneling driver implements
GRE (Generic Routing Encapsulation) and at this time allows
encapsulating of IPv4 or IPv6 over existing IPv6 infrastructure.
This driver is useful if the other endpoint is a Cisco router: Cisco
likes GRE much better than the other Linux tunneling driver ("IP
tunneling" above). In addition, GRE allows multicast redistribution
through the tunnel.
Saying M here will produce a module called ip6_gre. If unsure, say N.
fou: add Kconfig options for IPv6 support
A previous patch added the fou6.ko module, but that failed to link
in a couple of configurations:
net/built-in.o: In function `ip6_tnl_encap_add_fou_ops':
net/ipv6/fou6.c:88: undefined reference to `ip6_tnl_encap_add_ops'
net/ipv6/fou6.c:94: undefined reference to `ip6_tnl_encap_add_ops'
net/ipv6/fou6.c:97: undefined reference to `ip6_tnl_encap_del_ops'
net/built-in.o: In function `ip6_tnl_encap_del_fou_ops':
net/ipv6/fou6.c:106: undefined reference to `ip6_tnl_encap_del_ops'
net/ipv6/fou6.c:107: undefined reference to `ip6_tnl_encap_del_ops'
If CONFIG_IPV6=m, ip6_tnl_encap_add_ops/ip6_tnl_encap_del_ops
are in a module, but fou6.c can still be built-in, and that
obviously fails to link.
Also, if CONFIG_IPV6=y, but CONFIG_IPV6_TUNNEL=m or
CONFIG_IPV6_TUNNEL=n, the same problem happens for a different
reason.
This adds two new silent Kconfig symbols to work around both
problems:
- CONFIG_IPV6_FOU is now always set to 'm' if either CONFIG_NET_FOU=m
or CONFIG_IPV6=m
- CONFIG_IPV6_FOU_TUNNEL is set implicitly when IPV6_FOU is enabled
and NET_FOU_IP_TUNNELS is also turned out, and it will ensure
that CONFIG_IPV6_TUNNEL is also available.
The options could be made user-visible as well, to give additional
room for configuration, but it seems easier not to bother users
with more choice here.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels")
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-05-25 17:50:46 +03:00
config IPV6_FOU
tristate
default NET_FOU && IPV6
config IPV6_FOU_TUNNEL
tristate
default NET_FOU_IP_TUNNELS && IPV6_FOU
fou: fix IPv6 Kconfig options
The Kconfig options I added to work around broken compilation ended
up screwing up things more, as I used the wrong symbol to control
compilation of the file, resulting in IPv6 fou support to never be built
into the kernel.
Changing CONFIG_NET_FOU_IPV6_TUNNELS to CONFIG_IPV6_FOU fixes that
problem, I had renamed the symbol in one location but not the other,
and as the file is never being used by other kernel code, this did not
lead to a build failure that I would have caught.
After that fix, another issue with the same patch becomes obvious, as we
'select INET6_TUNNEL', which is related to IPV6_TUNNEL, but not the same,
and this can still cause the original build failure when IPV6_TUNNEL is
not built-in but IPV6_FOU is. The fix is equally trivial, we just need
to select the right symbol.
I have successfully build 350 randconfig kernels with this patch
and verified that the driver is now being built.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reported-by: Valentin Rothberg <valentinrothberg@gmail.com>
Fixes: fabb13db448e ("fou: add Kconfig options for IPv6 support")
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-05-31 23:42:11 +03:00
select IPV6_TUNNEL
fou: add Kconfig options for IPv6 support
A previous patch added the fou6.ko module, but that failed to link
in a couple of configurations:
net/built-in.o: In function `ip6_tnl_encap_add_fou_ops':
net/ipv6/fou6.c:88: undefined reference to `ip6_tnl_encap_add_ops'
net/ipv6/fou6.c:94: undefined reference to `ip6_tnl_encap_add_ops'
net/ipv6/fou6.c:97: undefined reference to `ip6_tnl_encap_del_ops'
net/built-in.o: In function `ip6_tnl_encap_del_fou_ops':
net/ipv6/fou6.c:106: undefined reference to `ip6_tnl_encap_del_ops'
net/ipv6/fou6.c:107: undefined reference to `ip6_tnl_encap_del_ops'
If CONFIG_IPV6=m, ip6_tnl_encap_add_ops/ip6_tnl_encap_del_ops
are in a module, but fou6.c can still be built-in, and that
obviously fails to link.
Also, if CONFIG_IPV6=y, but CONFIG_IPV6_TUNNEL=m or
CONFIG_IPV6_TUNNEL=n, the same problem happens for a different
reason.
This adds two new silent Kconfig symbols to work around both
problems:
- CONFIG_IPV6_FOU is now always set to 'm' if either CONFIG_NET_FOU=m
or CONFIG_IPV6=m
- CONFIG_IPV6_FOU_TUNNEL is set implicitly when IPV6_FOU is enabled
and NET_FOU_IP_TUNNELS is also turned out, and it will ensure
that CONFIG_IPV6_TUNNEL is also available.
The options could be made user-visible as well, to give additional
room for configuration, but it seems easier not to bother users
with more choice here.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Fixes: aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels")
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-05-25 17:50:46 +03:00
2006-10-17 09:12:21 +04:00
config IPV6_MULTIPLE_TABLES
bool "IPv6: Multiple Routing Tables"
select FIB_RULES
---help---
Support multiple routing tables.
2006-08-24 04:23:39 +04:00
config IPV6_SUBTREES
bool "IPv6: source address based routing"
2006-10-17 09:12:21 +04:00
depends on IPV6_MULTIPLE_TABLES
2006-08-24 04:23:39 +04:00
---help---
Enable routing by source address or prefix.
The destination address is still the primary routing key, so mixing
normal and source prefix specific routes in the same routing table
may sometimes lead to unintended routing behavior. This can be
avoided by defining different routing tables for the normal and
source prefix specific routes.
If unsure, say N.
2008-04-03 04:22:53 +04:00
config IPV6_MROUTE
2012-10-02 22:19:49 +04:00
bool "IPv6: multicast routing"
depends on IPV6
2018-03-01 00:29:29 +03:00
select IP_MROUTE_COMMON
2008-04-03 04:22:53 +04:00
---help---
2018-05-07 15:03:18 +03:00
Support for IPv6 multicast forwarding.
2008-04-03 04:22:53 +04:00
If unsure, say N.
ipv6: ip6mr: support multiple tables
This patch adds support for multiple independant multicast routing instances,
named "tables".
Userspace multicast routing daemons can bind to a specific table instance by
issuing a setsockopt call using a new option MRT6_TABLE. The table number is
stored in the raw socket data and affects all following ip6mr setsockopt(),
getsockopt() and ioctl() calls. By default, a single table (RT6_TABLE_DFLT)
is created with a default routing rule pointing to it. Newly created pim6reg
devices have the table number appended ("pim6regX"), with the exception of
devices created in the default table, which are named just "pim6reg" for
compatibility reasons.
Packets are directed to a specific table instance using routing rules,
similar to how regular routing rules work. Currently iif, oif and mark
are supported as keys, source and destination addresses could be supported
additionally.
Example usage:
- bind pimd/xorp/... to a specific table:
uint32_t table = 123;
setsockopt(fd, SOL_IPV6, MRT6_TABLE, &table, sizeof(table));
- create routing rules directing packets to the new table:
# ip -6 mrule add iif eth0 lookup 123
# ip -6 mrule add oif eth0 lookup 123
Signed-off-by: Patrick McHardy <kaber@trash.net>
2010-05-11 16:40:55 +04:00
config IPV6_MROUTE_MULTIPLE_TABLES
bool "IPv6: multicast policy routing"
depends on IPV6_MROUTE
select FIB_RULES
help
Normally, a multicast router runs a userspace daemon and decides
what to do with a multicast packet based on the source and
destination addresses. If you say Y here, the multicast router
will also be able to take interfaces and packet marks into
account and run multiple instances of userspace daemons
simultaneously, each one handling a single table.
If unsure, say N.
2008-04-03 04:22:54 +04:00
config IPV6_PIMSM_V2
2012-10-02 22:19:49 +04:00
bool "IPv6: PIM-SM version 2 support"
2008-04-03 04:22:54 +04:00
depends on IPV6_MROUTE
---help---
Support for IPv6 PIM multicast routing protocol PIM-SMv2.
If unsure, say N.
2016-11-15 18:14:04 +03:00
config IPV6_SEG6_LWTUNNEL
bool "IPv6: Segment Routing Header encapsulation support"
depends on IPV6
select LWTUNNEL
2017-03-27 12:43:59 +03:00
select DST_CACHE
2017-08-25 10:56:47 +03:00
select IPV6_MULTIPLE_TABLES
2016-11-15 18:14:04 +03:00
---help---
Support for encapsulation of packets within an outer IPv6
header and a Segment Routing Header using the lightweight
2017-08-05 13:38:26 +03:00
tunnels mechanism. Also enable support for advanced local
processing of SRv6 packets based on their active segment.
2016-11-15 18:14:04 +03:00
If unsure, say N.
2016-11-08 16:57:42 +03:00
config IPV6_SEG6_HMAC
bool "IPv6: Segment Routing HMAC support"
depends on IPV6
select CRYPTO_HMAC
select CRYPTO_SHA1
select CRYPTO_SHA256
---help---
Support for HMAC signature generation and verification
of SR-enabled packets.
If unsure, say N.
bpf: Add IPv6 Segment Routing helpers
The BPF seg6local hook should be powerful enough to enable users to
implement most of the use-cases one could think of. After some thinking,
we figured out that the following actions should be possible on a SRv6
packet, requiring 3 specific helpers :
- bpf_lwt_seg6_store_bytes: Modify non-sensitive fields of the SRH
- bpf_lwt_seg6_adjust_srh: Allow to grow or shrink a SRH
(to add/delete TLVs)
- bpf_lwt_seg6_action: Apply some SRv6 network programming actions
(specifically End.X, End.T, End.B6 and
End.B6.Encap)
The specifications of these helpers are provided in the patch (see
include/uapi/linux/bpf.h).
The non-sensitive fields of the SRH are the following : flags, tag and
TLVs. The other fields can not be modified, to maintain the SRH
integrity. Flags, tag and TLVs can easily be modified as their validity
can be checked afterwards via seg6_validate_srh. It is not allowed to
modify the segments directly. If one wants to add segments on the path,
he should stack a new SRH using the End.B6 action via
bpf_lwt_seg6_action.
Growing, shrinking or editing TLVs via the helpers will flag the SRH as
invalid, and it will have to be re-validated before re-entering the IPv6
layer. This flag is stored in a per-CPU buffer, along with the current
header length in bytes.
Storing the SRH len in bytes in the control block is mandatory when using
bpf_lwt_seg6_adjust_srh. The Header Ext. Length field contains the SRH
len rounded to 8 bytes (a padding TLV can be inserted to ensure the 8-bytes
boundary). When adding/deleting TLVs within the BPF program, the SRH may
temporary be in an invalid state where its length cannot be rounded to 8
bytes without remainder, hence the need to store the length in bytes
separately. The caller of the BPF program can then ensure that the SRH's
final length is valid using this value. Again, a final SRH modified by a
BPF program which doesn’t respect the 8-bytes boundary will be discarded
as it will be considered as invalid.
Finally, a fourth helper is provided, bpf_lwt_push_encap, which is
available from the LWT BPF IN hook, but not from the seg6local BPF one.
This helper allows to encapsulate a Segment Routing Header (either with
a new outer IPv6 header, or by inlining it directly in the existing IPv6
header) into a non-SRv6 packet. This helper is required if we want to
offer the possibility to dynamically encapsulate a SRH for non-SRv6 packet,
as the BPF seg6local hook only works on traffic already containing a SRH.
This is the BPF equivalent of the seg6 LWT infrastructure, which achieves
the same purpose but with a static SRH per route.
These helpers require CONFIG_IPV6=y (and not =m).
Signed-off-by: Mathieu Xhonneux <m.xhonneux@gmail.com>
Acked-by: David Lebrun <dlebrun@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2018-05-20 16:58:14 +03:00
config IPV6_SEG6_BPF
def_bool y
depends on IPV6_SEG6_LWTUNNEL
depends on IPV6 = y
2008-04-14 10:30:47 +04:00
endif # IPV6