1/proc/sys/net/ipv4/vs/* Variables: 2 3am_droprate - INTEGER 4 default 10 5 6 It sets the always mode drop rate, which is used in the mode 3 7 of the drop_rate defense. 8 9amemthresh - INTEGER 10 default 1024 11 12 It sets the available memory threshold (in pages), which is 13 used in the automatic modes of defense. When there is no 14 enough available memory, the respective strategy will be 15 enabled and the variable is automatically set to 2, otherwise 16 the strategy is disabled and the variable is set to 1. 17 18cache_bypass - BOOLEAN 19 0 - disabled (default) 20 not 0 - enabled 21 22 If it is enabled, forward packets to the original destination 23 directly when no cache server is available and destination 24 address is not local (iph->daddr is RTN_UNICAST). It is mostly 25 used in transparent web cache cluster. 26 27debug_level - INTEGER 28 0 - transmission error messages (default) 29 1 - non-fatal error messages 30 2 - configuration 31 3 - destination trash 32 4 - drop entry 33 5 - service lookup 34 6 - scheduling 35 7 - connection new/expire, lookup and synchronization 36 8 - state transition 37 9 - binding destination, template checks and applications 38 10 - IPVS packet transmission 39 11 - IPVS packet handling (ip_vs_in/ip_vs_out) 40 12 or more - packet traversal 41 42 Only available when IPVS is compiled with the CONFIG_IPVS_DEBUG 43 44 Higher debugging levels include the messages for lower debugging 45 levels, so setting debug level 2, includes level 0, 1 and 2 46 messages. Thus, logging becomes more and more verbose the higher 47 the level. 48 49drop_entry - INTEGER 50 0 - disabled (default) 51 52 The drop_entry defense is to randomly drop entries in the 53 connection hash table, just in order to collect back some 54 memory for new connections. In the current code, the 55 drop_entry procedure can be activated every second, then it 56 randomly scans 1/32 of the whole and drops entries that are in 57 the SYN-RECV/SYNACK state, which should be effective against 58 syn-flooding attack. 59 60 The valid values of drop_entry are from 0 to 3, where 0 means 61 that this strategy is always disabled, 1 and 2 mean automatic 62 modes (when there is no enough available memory, the strategy 63 is enabled and the variable is automatically set to 2, 64 otherwise the strategy is disabled and the variable is set to 65 1), and 3 means that that the strategy is always enabled. 66 67drop_packet - INTEGER 68 0 - disabled (default) 69 70 The drop_packet defense is designed to drop 1/rate packets 71 before forwarding them to real servers. If the rate is 1, then 72 drop all the incoming packets. 73 74 The value definition is the same as that of the drop_entry. In 75 the automatic mode, the rate is determined by the follow 76 formula: rate = amemthresh / (amemthresh - available_memory) 77 when available memory is less than the available memory 78 threshold. When the mode 3 is set, the always mode drop rate 79 is controlled by the /proc/sys/net/ipv4/vs/am_droprate. 80 81expire_nodest_conn - BOOLEAN 82 0 - disabled (default) 83 not 0 - enabled 84 85 The default value is 0, the load balancer will silently drop 86 packets when its destination server is not available. It may 87 be useful, when user-space monitoring program deletes the 88 destination server (because of server overload or wrong 89 detection) and add back the server later, and the connections 90 to the server can continue. 91 92 If this feature is enabled, the load balancer will expire the 93 connection immediately when a packet arrives and its 94 destination server is not available, then the client program 95 will be notified that the connection is closed. This is 96 equivalent to the feature some people requires to flush 97 connections when its destination is not available. 98 99expire_quiescent_template - BOOLEAN 100 0 - disabled (default) 101 not 0 - enabled 102 103 When set to a non-zero value, the load balancer will expire 104 persistent templates when the destination server is quiescent. 105 This may be useful, when a user makes a destination server 106 quiescent by setting its weight to 0 and it is desired that 107 subsequent otherwise persistent connections are sent to a 108 different destination server. By default new persistent 109 connections are allowed to quiescent destination servers. 110 111 If this feature is enabled, the load balancer will expire the 112 persistence template if it is to be used to schedule a new 113 connection and the destination server is quiescent. 114 115nat_icmp_send - BOOLEAN 116 0 - disabled (default) 117 not 0 - enabled 118 119 It controls sending icmp error messages (ICMP_DEST_UNREACH) 120 for VS/NAT when the load balancer receives packets from real 121 servers but the connection entries don't exist. 122 123secure_tcp - INTEGER 124 0 - disabled (default) 125 126 The secure_tcp defense is to use a more complicated state 127 transition table and some possible short timeouts of each 128 state. In the VS/NAT, it delays the entering the ESTABLISHED 129 until the real server starts to send data and ACK packet 130 (after 3-way handshake). 131 132 The value definition is the same as that of drop_entry or 133 drop_packet. 134 135sync_threshold - INTEGER 136 default 3 137 138 It sets synchronization threshold, which is the minimum number 139 of incoming packets that a connection needs to receive before 140 the connection will be synchronized. A connection will be 141 synchronized, every time the number of its incoming packets 142 modulus 50 equals the threshold. The range of the threshold is 143 from 0 to 49. 144