Horms | 6ce1669 | 2006-07-03 19:35:40 -0700 | [diff] [blame] | 1 | /proc/sys/net/ipv4/vs/* Variables: |
| 2 | |
| 3 | am_droprate - INTEGER |
| 4 | default 10 |
| 5 | |
| 6 | It sets the always mode drop rate, which is used in the mode 3 |
| 7 | of the drop_rate defense. |
| 8 | |
| 9 | amemthresh - INTEGER |
| 10 | default 1024 |
| 11 | |
| 12 | It sets the available memory threshold (in pages), which is |
| 13 | used in the automatic modes of defense. When there is no |
| 14 | enough available memory, the respective strategy will be |
| 15 | enabled and the variable is automatically set to 2, otherwise |
| 16 | the strategy is disabled and the variable is set to 1. |
| 17 | |
Julian Anastasov | 0c12582 | 2013-03-09 23:25:04 +0200 | [diff] [blame] | 18 | backup_only - BOOLEAN |
| 19 | 0 - disabled (default) |
| 20 | not 0 - enabled |
| 21 | |
| 22 | If set, disable the director function while the server is |
| 23 | in backup mode to avoid packet loops for DR/TUN methods. |
| 24 | |
Marcelo Ricardo Leitner | d752c36 | 2015-02-23 15:02:34 -0300 | [diff] [blame] | 25 | conn_reuse_mode - INTEGER |
| 26 | 1 - default |
| 27 | |
| 28 | Controls how ipvs will deal with connections that are detected |
| 29 | port reuse. It is a bitmap, with the values being: |
| 30 | |
| 31 | 0: disable any special handling on port reuse. The new |
| 32 | connection will be delivered to the same real server that was |
| 33 | servicing the previous connection. This will effectively |
| 34 | disable expire_nodest_conn. |
| 35 | |
| 36 | bit 1: enable rescheduling of new connections when it is safe. |
| 37 | That is, whenever expire_nodest_conn and for TCP sockets, when |
| 38 | the connection is in TIME_WAIT state (which is only possible if |
| 39 | you use NAT mode). |
| 40 | |
| 41 | bit 2: it is bit 1 plus, for TCP connections, when connections |
| 42 | are in FIN_WAIT state, as this is the last state seen by load |
| 43 | balancer in Direct Routing mode. This bit helps on adding new |
| 44 | real servers to a very busy cluster. |
| 45 | |
Simon Horman | 7e777dd | 2011-09-09 17:07:43 +0900 | [diff] [blame] | 46 | conntrack - BOOLEAN |
| 47 | 0 - disabled (default) |
| 48 | not 0 - enabled |
| 49 | |
| 50 | If set, maintain connection tracking entries for |
| 51 | connections handled by IPVS. |
| 52 | |
| 53 | This should be enabled if connections handled by IPVS are to be |
| 54 | also handled by stateful firewall rules. That is, iptables rules |
| 55 | that make use of connection tracking. It is a performance |
| 56 | optimisation to disable this setting otherwise. |
| 57 | |
| 58 | Connections handled by the IPVS FTP application module |
| 59 | will have connection tracking entries regardless of this setting. |
| 60 | |
Simon Horman | 40cb1f9 | 2011-09-29 16:27:37 +0900 | [diff] [blame] | 61 | Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled. |
Simon Horman | 7e777dd | 2011-09-09 17:07:43 +0900 | [diff] [blame] | 62 | |
Horms | 6ce1669 | 2006-07-03 19:35:40 -0700 | [diff] [blame] | 63 | cache_bypass - BOOLEAN |
| 64 | 0 - disabled (default) |
| 65 | not 0 - enabled |
| 66 | |
| 67 | If it is enabled, forward packets to the original destination |
| 68 | directly when no cache server is available and destination |
| 69 | address is not local (iph->daddr is RTN_UNICAST). It is mostly |
| 70 | used in transparent web cache cluster. |
| 71 | |
| 72 | debug_level - INTEGER |
| 73 | 0 - transmission error messages (default) |
| 74 | 1 - non-fatal error messages |
| 75 | 2 - configuration |
| 76 | 3 - destination trash |
| 77 | 4 - drop entry |
| 78 | 5 - service lookup |
| 79 | 6 - scheduling |
| 80 | 7 - connection new/expire, lookup and synchronization |
| 81 | 8 - state transition |
| 82 | 9 - binding destination, template checks and applications |
| 83 | 10 - IPVS packet transmission |
| 84 | 11 - IPVS packet handling (ip_vs_in/ip_vs_out) |
| 85 | 12 or more - packet traversal |
| 86 | |
Simon Horman | 40cb1f9 | 2011-09-29 16:27:37 +0900 | [diff] [blame] | 87 | Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled. |
Horms | 6ce1669 | 2006-07-03 19:35:40 -0700 | [diff] [blame] | 88 | |
| 89 | Higher debugging levels include the messages for lower debugging |
| 90 | levels, so setting debug level 2, includes level 0, 1 and 2 |
| 91 | messages. Thus, logging becomes more and more verbose the higher |
| 92 | the level. |
| 93 | |
| 94 | drop_entry - INTEGER |
| 95 | 0 - disabled (default) |
| 96 | |
| 97 | The drop_entry defense is to randomly drop entries in the |
| 98 | connection hash table, just in order to collect back some |
| 99 | memory for new connections. In the current code, the |
| 100 | drop_entry procedure can be activated every second, then it |
| 101 | randomly scans 1/32 of the whole and drops entries that are in |
| 102 | the SYN-RECV/SYNACK state, which should be effective against |
| 103 | syn-flooding attack. |
| 104 | |
| 105 | The valid values of drop_entry are from 0 to 3, where 0 means |
| 106 | that this strategy is always disabled, 1 and 2 mean automatic |
| 107 | modes (when there is no enough available memory, the strategy |
| 108 | is enabled and the variable is automatically set to 2, |
| 109 | otherwise the strategy is disabled and the variable is set to |
| 110 | 1), and 3 means that that the strategy is always enabled. |
| 111 | |
| 112 | drop_packet - INTEGER |
| 113 | 0 - disabled (default) |
| 114 | |
| 115 | The drop_packet defense is designed to drop 1/rate packets |
| 116 | before forwarding them to real servers. If the rate is 1, then |
| 117 | drop all the incoming packets. |
| 118 | |
| 119 | The value definition is the same as that of the drop_entry. In |
| 120 | the automatic mode, the rate is determined by the follow |
| 121 | formula: rate = amemthresh / (amemthresh - available_memory) |
| 122 | when available memory is less than the available memory |
| 123 | threshold. When the mode 3 is set, the always mode drop rate |
| 124 | is controlled by the /proc/sys/net/ipv4/vs/am_droprate. |
| 125 | |
| 126 | expire_nodest_conn - BOOLEAN |
| 127 | 0 - disabled (default) |
| 128 | not 0 - enabled |
| 129 | |
| 130 | The default value is 0, the load balancer will silently drop |
| 131 | packets when its destination server is not available. It may |
| 132 | be useful, when user-space monitoring program deletes the |
| 133 | destination server (because of server overload or wrong |
| 134 | detection) and add back the server later, and the connections |
| 135 | to the server can continue. |
| 136 | |
| 137 | If this feature is enabled, the load balancer will expire the |
| 138 | connection immediately when a packet arrives and its |
| 139 | destination server is not available, then the client program |
| 140 | will be notified that the connection is closed. This is |
| 141 | equivalent to the feature some people requires to flush |
| 142 | connections when its destination is not available. |
| 143 | |
| 144 | expire_quiescent_template - BOOLEAN |
| 145 | 0 - disabled (default) |
| 146 | not 0 - enabled |
| 147 | |
| 148 | When set to a non-zero value, the load balancer will expire |
| 149 | persistent templates when the destination server is quiescent. |
| 150 | This may be useful, when a user makes a destination server |
| 151 | quiescent by setting its weight to 0 and it is desired that |
| 152 | subsequent otherwise persistent connections are sent to a |
| 153 | different destination server. By default new persistent |
| 154 | connections are allowed to quiescent destination servers. |
| 155 | |
| 156 | If this feature is enabled, the load balancer will expire the |
| 157 | persistence template if it is to be used to schedule a new |
| 158 | connection and the destination server is quiescent. |
| 159 | |
Alex Gartrell | 4e47809 | 2015-09-14 23:23:05 -0700 | [diff] [blame] | 160 | ignore_tunneled - BOOLEAN |
| 161 | 0 - disabled (default) |
| 162 | not 0 - enabled |
| 163 | |
| 164 | If set, ipvs will set the ipvs_property on all packets which are of |
| 165 | unrecognized protocols. This prevents us from routing tunneled |
| 166 | protocols like ipip, which is useful to prevent rescheduling |
| 167 | packets that have been tunneled to the ipvs host (i.e. to prevent |
| 168 | ipvs routing loops when ipvs is also acting as a real server). |
| 169 | |
Horms | 6ce1669 | 2006-07-03 19:35:40 -0700 | [diff] [blame] | 170 | nat_icmp_send - BOOLEAN |
| 171 | 0 - disabled (default) |
| 172 | not 0 - enabled |
| 173 | |
| 174 | It controls sending icmp error messages (ICMP_DEST_UNREACH) |
| 175 | for VS/NAT when the load balancer receives packets from real |
| 176 | servers but the connection entries don't exist. |
| 177 | |
Hangbin Liu | 3c679cb | 2017-02-20 16:31:38 +0800 | [diff] [blame] | 178 | pmtu_disc - BOOLEAN |
| 179 | 0 - disabled |
| 180 | not 0 - enabled (default) |
| 181 | |
| 182 | By default, reject with FRAG_NEEDED all DF packets that exceed |
| 183 | the PMTU, irrespective of the forwarding method. For TUN method |
| 184 | the flag can be disabled to fragment such packets. |
| 185 | |
Horms | 6ce1669 | 2006-07-03 19:35:40 -0700 | [diff] [blame] | 186 | secure_tcp - INTEGER |
| 187 | 0 - disabled (default) |
| 188 | |
Simon Horman | 325aadc | 2011-09-29 16:14:51 +0900 | [diff] [blame] | 189 | The secure_tcp defense is to use a more complicated TCP state |
| 190 | transition table. For VS/NAT, it also delays entering the |
| 191 | TCP ESTABLISHED state until the three way handshake is completed. |
Horms | 6ce1669 | 2006-07-03 19:35:40 -0700 | [diff] [blame] | 192 | |
Simon Horman | 325aadc | 2011-09-29 16:14:51 +0900 | [diff] [blame] | 193 | The value definition is the same as that of drop_entry and |
Horms | 6ce1669 | 2006-07-03 19:35:40 -0700 | [diff] [blame] | 194 | drop_packet. |
| 195 | |
Hangbin Liu | a2f346d | 2017-02-20 16:31:35 +0800 | [diff] [blame] | 196 | sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period |
| 197 | default 3 50 |
Horms | 6ce1669 | 2006-07-03 19:35:40 -0700 | [diff] [blame] | 198 | |
Hangbin Liu | a2f346d | 2017-02-20 16:31:35 +0800 | [diff] [blame] | 199 | It sets synchronization threshold, which is the minimum number |
| 200 | of incoming packets that a connection needs to receive before |
| 201 | the connection will be synchronized. A connection will be |
| 202 | synchronized, every time the number of its incoming packets |
| 203 | modulus sync_period equals the threshold. The range of the |
| 204 | threshold is from 0 to sync_period. |
| 205 | |
| 206 | When sync_period and sync_refresh_period are 0, send sync only |
| 207 | for state changes or only once when pkts matches sync_threshold |
| 208 | |
| 209 | sync_refresh_period - UNSIGNED INTEGER |
| 210 | default 0 |
| 211 | |
| 212 | In seconds, difference in reported connection timer that triggers |
| 213 | new sync message. It can be used to avoid sync messages for the |
| 214 | specified period (or half of the connection timeout if it is lower) |
| 215 | if connection state is not changed since last sync. |
| 216 | |
| 217 | This is useful for normal connections with high traffic to reduce |
| 218 | sync rate. Additionally, retry sync_retries times with period of |
| 219 | sync_refresh_period/8. |
| 220 | |
| 221 | sync_retries - INTEGER |
| 222 | default 0 |
| 223 | |
| 224 | Defines sync retries with period of sync_refresh_period/8. Useful |
| 225 | to protect against loss of sync messages. The range of the |
| 226 | sync_retries is from 0 to 3. |
Simon Horman | 7e777dd | 2011-09-09 17:07:43 +0900 | [diff] [blame] | 227 | |
Hangbin Liu | 237e572 | 2017-02-20 16:31:36 +0800 | [diff] [blame] | 228 | sync_qlen_max - UNSIGNED LONG |
| 229 | |
| 230 | Hard limit for queued sync messages that are not sent yet. It |
| 231 | defaults to 1/32 of the memory pages but actually represents |
| 232 | number of messages. It will protect us from allocating large |
| 233 | parts of memory when the sending rate is lower than the queuing |
| 234 | rate. |
| 235 | |
| 236 | sync_sock_size - INTEGER |
| 237 | default 0 |
| 238 | |
| 239 | Configuration of SNDBUF (master) or RCVBUF (slave) socket limit. |
| 240 | Default value is 0 (preserve system defaults). |
| 241 | |
Hangbin Liu | 24b4441 | 2017-02-20 16:31:37 +0800 | [diff] [blame] | 242 | sync_ports - INTEGER |
| 243 | default 1 |
| 244 | |
| 245 | The number of threads that master and backup servers can use for |
| 246 | sync traffic. Every thread will use single UDP port, thread 0 will |
| 247 | use the default port 8848 while last thread will use port |
| 248 | 8848+sync_ports-1. |
| 249 | |
Simon Horman | 7e777dd | 2011-09-09 17:07:43 +0900 | [diff] [blame] | 250 | snat_reroute - BOOLEAN |
| 251 | 0 - disabled |
| 252 | not 0 - enabled (default) |
| 253 | |
| 254 | If enabled, recalculate the route of SNATed packets from |
| 255 | realservers so that they are routed as if they originate from the |
| 256 | director. Otherwise they are routed as if they are forwarded by the |
| 257 | director. |
| 258 | |
| 259 | If policy routing is in effect then it is possible that the route |
| 260 | of a packet originating from a director is routed differently to a |
| 261 | packet being forwarded by the director. |
| 262 | |
| 263 | If policy routing is not in effect then the recalculated route will |
| 264 | always be the same as the original route so it is an optimisation |
| 265 | to disable snat_reroute and avoid the recalculation. |
| 266 | |
Julian Anastasov | 4d0c875 | 2013-06-24 22:44:41 +0300 | [diff] [blame] | 267 | sync_persist_mode - INTEGER |
| 268 | default 0 |
| 269 | |
| 270 | Controls the synchronisation of connections when using persistence |
| 271 | |
| 272 | 0: All types of connections are synchronised |
| 273 | 1: Attempt to reduce the synchronisation traffic depending on |
| 274 | the connection type. For persistent services avoid synchronisation |
| 275 | for normal connections, do it only for persistence templates. |
| 276 | In such case, for TCP and SCTP it may need enabling sloppy_tcp and |
| 277 | sloppy_sctp flags on backup servers. For non-persistent services |
| 278 | such optimization is not applied, mode 0 is assumed. |
| 279 | |
Simon Horman | 7e777dd | 2011-09-09 17:07:43 +0900 | [diff] [blame] | 280 | sync_version - INTEGER |
| 281 | default 1 |
| 282 | |
| 283 | The version of the synchronisation protocol used when sending |
| 284 | synchronisation messages. |
| 285 | |
| 286 | 0 selects the original synchronisation protocol (version 0). This |
| 287 | should be used when sending synchronisation messages to a legacy |
| 288 | system that only understands the original synchronisation protocol. |
| 289 | |
| 290 | 1 selects the current synchronisation protocol (version 1). This |
| 291 | should be used where possible. |
| 292 | |
| 293 | Kernels with this sync_version entry are able to receive messages |
| 294 | of both version 1 and version 2 of the synchronisation protocol. |