blob: 056898685d408e463f1a191f36e2384e9974ab6d [file] [log] [blame]
Horms6ce16692006-07-03 19:35:40 -07001/proc/sys/net/ipv4/vs/* Variables:
2
3am_droprate - INTEGER
4 default 10
5
6 It sets the always mode drop rate, which is used in the mode 3
7 of the drop_rate defense.
8
9amemthresh - INTEGER
10 default 1024
11
12 It sets the available memory threshold (in pages), which is
13 used in the automatic modes of defense. When there is no
14 enough available memory, the respective strategy will be
15 enabled and the variable is automatically set to 2, otherwise
16 the strategy is disabled and the variable is set to 1.
17
Julian Anastasov0c125822013-03-09 23:25:04 +020018backup_only - BOOLEAN
19 0 - disabled (default)
20 not 0 - enabled
21
22 If set, disable the director function while the server is
23 in backup mode to avoid packet loops for DR/TUN methods.
24
Marcelo Ricardo Leitnerd752c362015-02-23 15:02:34 -030025conn_reuse_mode - INTEGER
26 1 - default
27
28 Controls how ipvs will deal with connections that are detected
29 port reuse. It is a bitmap, with the values being:
30
31 0: disable any special handling on port reuse. The new
32 connection will be delivered to the same real server that was
33 servicing the previous connection. This will effectively
34 disable expire_nodest_conn.
35
36 bit 1: enable rescheduling of new connections when it is safe.
37 That is, whenever expire_nodest_conn and for TCP sockets, when
38 the connection is in TIME_WAIT state (which is only possible if
39 you use NAT mode).
40
41 bit 2: it is bit 1 plus, for TCP connections, when connections
42 are in FIN_WAIT state, as this is the last state seen by load
43 balancer in Direct Routing mode. This bit helps on adding new
44 real servers to a very busy cluster.
45
Simon Horman7e777dd2011-09-09 17:07:43 +090046conntrack - BOOLEAN
47 0 - disabled (default)
48 not 0 - enabled
49
50 If set, maintain connection tracking entries for
51 connections handled by IPVS.
52
53 This should be enabled if connections handled by IPVS are to be
54 also handled by stateful firewall rules. That is, iptables rules
55 that make use of connection tracking. It is a performance
56 optimisation to disable this setting otherwise.
57
58 Connections handled by the IPVS FTP application module
59 will have connection tracking entries regardless of this setting.
60
Simon Horman40cb1f92011-09-29 16:27:37 +090061 Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled.
Simon Horman7e777dd2011-09-09 17:07:43 +090062
Horms6ce16692006-07-03 19:35:40 -070063cache_bypass - BOOLEAN
64 0 - disabled (default)
65 not 0 - enabled
66
67 If it is enabled, forward packets to the original destination
68 directly when no cache server is available and destination
69 address is not local (iph->daddr is RTN_UNICAST). It is mostly
70 used in transparent web cache cluster.
71
72debug_level - INTEGER
73 0 - transmission error messages (default)
74 1 - non-fatal error messages
75 2 - configuration
76 3 - destination trash
77 4 - drop entry
78 5 - service lookup
79 6 - scheduling
80 7 - connection new/expire, lookup and synchronization
81 8 - state transition
82 9 - binding destination, template checks and applications
83 10 - IPVS packet transmission
84 11 - IPVS packet handling (ip_vs_in/ip_vs_out)
85 12 or more - packet traversal
86
Simon Horman40cb1f92011-09-29 16:27:37 +090087 Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled.
Horms6ce16692006-07-03 19:35:40 -070088
89 Higher debugging levels include the messages for lower debugging
90 levels, so setting debug level 2, includes level 0, 1 and 2
91 messages. Thus, logging becomes more and more verbose the higher
92 the level.
93
94drop_entry - INTEGER
95 0 - disabled (default)
96
97 The drop_entry defense is to randomly drop entries in the
98 connection hash table, just in order to collect back some
99 memory for new connections. In the current code, the
100 drop_entry procedure can be activated every second, then it
101 randomly scans 1/32 of the whole and drops entries that are in
102 the SYN-RECV/SYNACK state, which should be effective against
103 syn-flooding attack.
104
105 The valid values of drop_entry are from 0 to 3, where 0 means
106 that this strategy is always disabled, 1 and 2 mean automatic
107 modes (when there is no enough available memory, the strategy
108 is enabled and the variable is automatically set to 2,
109 otherwise the strategy is disabled and the variable is set to
110 1), and 3 means that that the strategy is always enabled.
111
112drop_packet - INTEGER
113 0 - disabled (default)
114
115 The drop_packet defense is designed to drop 1/rate packets
116 before forwarding them to real servers. If the rate is 1, then
117 drop all the incoming packets.
118
119 The value definition is the same as that of the drop_entry. In
120 the automatic mode, the rate is determined by the follow
121 formula: rate = amemthresh / (amemthresh - available_memory)
122 when available memory is less than the available memory
123 threshold. When the mode 3 is set, the always mode drop rate
124 is controlled by the /proc/sys/net/ipv4/vs/am_droprate.
125
126expire_nodest_conn - BOOLEAN
127 0 - disabled (default)
128 not 0 - enabled
129
130 The default value is 0, the load balancer will silently drop
131 packets when its destination server is not available. It may
132 be useful, when user-space monitoring program deletes the
133 destination server (because of server overload or wrong
134 detection) and add back the server later, and the connections
135 to the server can continue.
136
137 If this feature is enabled, the load balancer will expire the
138 connection immediately when a packet arrives and its
139 destination server is not available, then the client program
140 will be notified that the connection is closed. This is
141 equivalent to the feature some people requires to flush
142 connections when its destination is not available.
143
144expire_quiescent_template - BOOLEAN
145 0 - disabled (default)
146 not 0 - enabled
147
148 When set to a non-zero value, the load balancer will expire
149 persistent templates when the destination server is quiescent.
150 This may be useful, when a user makes a destination server
151 quiescent by setting its weight to 0 and it is desired that
152 subsequent otherwise persistent connections are sent to a
153 different destination server. By default new persistent
154 connections are allowed to quiescent destination servers.
155
156 If this feature is enabled, the load balancer will expire the
157 persistence template if it is to be used to schedule a new
158 connection and the destination server is quiescent.
159
Alex Gartrell4e478092015-09-14 23:23:05 -0700160ignore_tunneled - BOOLEAN
161 0 - disabled (default)
162 not 0 - enabled
163
164 If set, ipvs will set the ipvs_property on all packets which are of
165 unrecognized protocols. This prevents us from routing tunneled
166 protocols like ipip, which is useful to prevent rescheduling
167 packets that have been tunneled to the ipvs host (i.e. to prevent
168 ipvs routing loops when ipvs is also acting as a real server).
169
Horms6ce16692006-07-03 19:35:40 -0700170nat_icmp_send - BOOLEAN
171 0 - disabled (default)
172 not 0 - enabled
173
174 It controls sending icmp error messages (ICMP_DEST_UNREACH)
175 for VS/NAT when the load balancer receives packets from real
176 servers but the connection entries don't exist.
177
Hangbin Liu3c679cb2017-02-20 16:31:38 +0800178pmtu_disc - BOOLEAN
179 0 - disabled
180 not 0 - enabled (default)
181
182 By default, reject with FRAG_NEEDED all DF packets that exceed
183 the PMTU, irrespective of the forwarding method. For TUN method
184 the flag can be disabled to fragment such packets.
185
Horms6ce16692006-07-03 19:35:40 -0700186secure_tcp - INTEGER
187 0 - disabled (default)
188
Simon Horman325aadc2011-09-29 16:14:51 +0900189 The secure_tcp defense is to use a more complicated TCP state
190 transition table. For VS/NAT, it also delays entering the
191 TCP ESTABLISHED state until the three way handshake is completed.
Horms6ce16692006-07-03 19:35:40 -0700192
Simon Horman325aadc2011-09-29 16:14:51 +0900193 The value definition is the same as that of drop_entry and
Horms6ce16692006-07-03 19:35:40 -0700194 drop_packet.
195
Hangbin Liua2f346d2017-02-20 16:31:35 +0800196sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period
197 default 3 50
Horms6ce16692006-07-03 19:35:40 -0700198
Hangbin Liua2f346d2017-02-20 16:31:35 +0800199 It sets synchronization threshold, which is the minimum number
200 of incoming packets that a connection needs to receive before
201 the connection will be synchronized. A connection will be
202 synchronized, every time the number of its incoming packets
203 modulus sync_period equals the threshold. The range of the
204 threshold is from 0 to sync_period.
205
206 When sync_period and sync_refresh_period are 0, send sync only
207 for state changes or only once when pkts matches sync_threshold
208
209sync_refresh_period - UNSIGNED INTEGER
210 default 0
211
212 In seconds, difference in reported connection timer that triggers
213 new sync message. It can be used to avoid sync messages for the
214 specified period (or half of the connection timeout if it is lower)
215 if connection state is not changed since last sync.
216
217 This is useful for normal connections with high traffic to reduce
218 sync rate. Additionally, retry sync_retries times with period of
219 sync_refresh_period/8.
220
221sync_retries - INTEGER
222 default 0
223
224 Defines sync retries with period of sync_refresh_period/8. Useful
225 to protect against loss of sync messages. The range of the
226 sync_retries is from 0 to 3.
Simon Horman7e777dd2011-09-09 17:07:43 +0900227
Hangbin Liu237e5722017-02-20 16:31:36 +0800228sync_qlen_max - UNSIGNED LONG
229
230 Hard limit for queued sync messages that are not sent yet. It
231 defaults to 1/32 of the memory pages but actually represents
232 number of messages. It will protect us from allocating large
233 parts of memory when the sending rate is lower than the queuing
234 rate.
235
236sync_sock_size - INTEGER
237 default 0
238
239 Configuration of SNDBUF (master) or RCVBUF (slave) socket limit.
240 Default value is 0 (preserve system defaults).
241
Hangbin Liu24b44412017-02-20 16:31:37 +0800242sync_ports - INTEGER
243 default 1
244
245 The number of threads that master and backup servers can use for
246 sync traffic. Every thread will use single UDP port, thread 0 will
247 use the default port 8848 while last thread will use port
248 8848+sync_ports-1.
249
Simon Horman7e777dd2011-09-09 17:07:43 +0900250snat_reroute - BOOLEAN
251 0 - disabled
252 not 0 - enabled (default)
253
254 If enabled, recalculate the route of SNATed packets from
255 realservers so that they are routed as if they originate from the
256 director. Otherwise they are routed as if they are forwarded by the
257 director.
258
259 If policy routing is in effect then it is possible that the route
260 of a packet originating from a director is routed differently to a
261 packet being forwarded by the director.
262
263 If policy routing is not in effect then the recalculated route will
264 always be the same as the original route so it is an optimisation
265 to disable snat_reroute and avoid the recalculation.
266
Julian Anastasov4d0c8752013-06-24 22:44:41 +0300267sync_persist_mode - INTEGER
268 default 0
269
270 Controls the synchronisation of connections when using persistence
271
272 0: All types of connections are synchronised
273 1: Attempt to reduce the synchronisation traffic depending on
274 the connection type. For persistent services avoid synchronisation
275 for normal connections, do it only for persistence templates.
276 In such case, for TCP and SCTP it may need enabling sloppy_tcp and
277 sloppy_sctp flags on backup servers. For non-persistent services
278 such optimization is not applied, mode 0 is assumed.
279
Simon Horman7e777dd2011-09-09 17:07:43 +0900280sync_version - INTEGER
281 default 1
282
283 The version of the synchronisation protocol used when sending
284 synchronisation messages.
285
286 0 selects the original synchronisation protocol (version 0). This
287 should be used when sending synchronisation messages to a legacy
288 system that only understands the original synchronisation protocol.
289
290 1 selects the current synchronisation protocol (version 1). This
291 should be used where possible.
292
293 Kernels with this sync_version entry are able to receive messages
294 of both version 1 and version 2 of the synchronisation protocol.