• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1/proc/sys/net/ipv4/vs/* Variables:
2
3am_droprate - INTEGER
4        default 10
5
6        It sets the always mode drop rate, which is used in the mode 3
7        of the drop_rate defense.
8
9amemthresh - INTEGER
10        default 1024
11
12        It sets the available memory threshold (in pages), which is
13        used in the automatic modes of defense. When there is no
14        enough available memory, the respective strategy will be
15        enabled and the variable is automatically set to 2, otherwise
16        the strategy is disabled and the variable is  set  to 1.
17
18backup_only - BOOLEAN
19	0 - disabled (default)
20	not 0 - enabled
21
22	If set, disable the director function while the server is
23	in backup mode to avoid packet loops for DR/TUN methods.
24
25conn_reuse_mode - INTEGER
26	1 - default
27
28	Controls how ipvs will deal with connections that are detected
29	port reuse. It is a bitmap, with the values being:
30
31	0: disable any special handling on port reuse. The new
32	connection will be delivered to the same real server that was
33	servicing the previous connection.
34
35	bit 1: enable rescheduling of new connections when it is safe.
36	That is, whenever expire_nodest_conn and for TCP sockets, when
37	the connection is in TIME_WAIT state (which is only possible if
38	you use NAT mode).
39
40	bit 2: it is bit 1 plus, for TCP connections, when connections
41	are in FIN_WAIT state, as this is the last state seen by load
42	balancer in Direct Routing mode. This bit helps on adding new
43	real servers to a very busy cluster.
44
45conntrack - BOOLEAN
46	0 - disabled (default)
47	not 0 - enabled
48
49	If set, maintain connection tracking entries for
50	connections handled by IPVS.
51
52	This should be enabled if connections handled by IPVS are to be
53	also handled by stateful firewall rules. That is, iptables rules
54	that make use of connection tracking.  It is a performance
55	optimisation to disable this setting otherwise.
56
57	Connections handled by the IPVS FTP application module
58	will have connection tracking entries regardless of this setting.
59
60	Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled.
61
62cache_bypass - BOOLEAN
63        0 - disabled (default)
64        not 0 - enabled
65
66        If it is enabled, forward packets to the original destination
67        directly when no cache server is available and destination
68        address is not local (iph->daddr is RTN_UNICAST). It is mostly
69        used in transparent web cache cluster.
70
71debug_level - INTEGER
72	0          - transmission error messages (default)
73	1          - non-fatal error messages
74	2          - configuration
75	3          - destination trash
76	4          - drop entry
77	5          - service lookup
78	6          - scheduling
79	7          - connection new/expire, lookup and synchronization
80	8          - state transition
81	9          - binding destination, template checks and applications
82	10         - IPVS packet transmission
83	11         - IPVS packet handling (ip_vs_in/ip_vs_out)
84	12 or more - packet traversal
85
86	Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled.
87
88	Higher debugging levels include the messages for lower debugging
89	levels, so setting debug level 2, includes level 0, 1 and 2
90	messages. Thus, logging becomes more and more verbose the higher
91	the level.
92
93drop_entry - INTEGER
94        0  - disabled (default)
95
96        The drop_entry defense is to randomly drop entries in the
97        connection hash table, just in order to collect back some
98        memory for new connections. In the current code, the
99        drop_entry procedure can be activated every second, then it
100        randomly scans 1/32 of the whole and drops entries that are in
101        the SYN-RECV/SYNACK state, which should be effective against
102        syn-flooding attack.
103
104        The valid values of drop_entry are from 0 to 3, where 0 means
105        that this strategy is always disabled, 1 and 2 mean automatic
106        modes (when there is no enough available memory, the strategy
107        is enabled and the variable is automatically set to 2,
108        otherwise the strategy is disabled and the variable is set to
109        1), and 3 means that that the strategy is always enabled.
110
111drop_packet - INTEGER
112        0  - disabled (default)
113
114        The drop_packet defense is designed to drop 1/rate packets
115        before forwarding them to real servers. If the rate is 1, then
116        drop all the incoming packets.
117
118        The value definition is the same as that of the drop_entry. In
119        the automatic mode, the rate is determined by the follow
120        formula: rate = amemthresh / (amemthresh - available_memory)
121        when available memory is less than the available memory
122        threshold. When the mode 3 is set, the always mode drop rate
123        is controlled by the /proc/sys/net/ipv4/vs/am_droprate.
124
125expire_nodest_conn - BOOLEAN
126        0 - disabled (default)
127        not 0 - enabled
128
129        The default value is 0, the load balancer will silently drop
130        packets when its destination server is not available. It may
131        be useful, when user-space monitoring program deletes the
132        destination server (because of server overload or wrong
133        detection) and add back the server later, and the connections
134        to the server can continue.
135
136        If this feature is enabled, the load balancer will expire the
137        connection immediately when a packet arrives and its
138        destination server is not available, then the client program
139        will be notified that the connection is closed. This is
140        equivalent to the feature some people requires to flush
141        connections when its destination is not available.
142
143expire_quiescent_template - BOOLEAN
144	0 - disabled (default)
145	not 0 - enabled
146
147	When set to a non-zero value, the load balancer will expire
148	persistent templates when the destination server is quiescent.
149	This may be useful, when a user makes a destination server
150	quiescent by setting its weight to 0 and it is desired that
151	subsequent otherwise persistent connections are sent to a
152	different destination server.  By default new persistent
153	connections are allowed to quiescent destination servers.
154
155	If this feature is enabled, the load balancer will expire the
156	persistence template if it is to be used to schedule a new
157	connection and the destination server is quiescent.
158
159ignore_tunneled - BOOLEAN
160	0 - disabled (default)
161	not 0 - enabled
162
163	If set, ipvs will set the ipvs_property on all packets which are of
164	unrecognized protocols.  This prevents us from routing tunneled
165	protocols like ipip, which is useful to prevent rescheduling
166	packets that have been tunneled to the ipvs host (i.e. to prevent
167	ipvs routing loops when ipvs is also acting as a real server).
168
169nat_icmp_send - BOOLEAN
170        0 - disabled (default)
171        not 0 - enabled
172
173        It controls sending icmp error messages (ICMP_DEST_UNREACH)
174        for VS/NAT when the load balancer receives packets from real
175        servers but the connection entries don't exist.
176
177pmtu_disc - BOOLEAN
178	0 - disabled
179	not 0 - enabled (default)
180
181	By default, reject with FRAG_NEEDED all DF packets that exceed
182	the PMTU, irrespective of the forwarding method. For TUN method
183	the flag can be disabled to fragment such packets.
184
185secure_tcp - INTEGER
186        0  - disabled (default)
187
188	The secure_tcp defense is to use a more complicated TCP state
189	transition table. For VS/NAT, it also delays entering the
190	TCP ESTABLISHED state until the three way handshake is completed.
191
192        The value definition is the same as that of drop_entry and
193        drop_packet.
194
195sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period
196	default 3 50
197
198	It sets synchronization threshold, which is the minimum number
199	of incoming packets that a connection needs to receive before
200	the connection will be synchronized. A connection will be
201	synchronized, every time the number of its incoming packets
202	modulus sync_period equals the threshold. The range of the
203	threshold is from 0 to sync_period.
204
205	When sync_period and sync_refresh_period are 0, send sync only
206	for state changes or only once when pkts matches sync_threshold
207
208sync_refresh_period - UNSIGNED INTEGER
209	default 0
210
211	In seconds, difference in reported connection timer that triggers
212	new sync message. It can be used to avoid sync messages for the
213	specified period (or half of the connection timeout if it is lower)
214	if connection state is not changed since last sync.
215
216	This is useful for normal connections with high traffic to reduce
217	sync rate. Additionally, retry sync_retries times with period of
218	sync_refresh_period/8.
219
220sync_retries - INTEGER
221	default 0
222
223	Defines sync retries with period of sync_refresh_period/8. Useful
224	to protect against loss of sync messages. The range of the
225	sync_retries is from 0 to 3.
226
227sync_qlen_max - UNSIGNED LONG
228
229	Hard limit for queued sync messages that are not sent yet. It
230	defaults to 1/32 of the memory pages but actually represents
231	number of messages. It will protect us from allocating large
232	parts of memory when the sending rate is lower than the queuing
233	rate.
234
235sync_sock_size - INTEGER
236	default 0
237
238	Configuration of SNDBUF (master) or RCVBUF (slave) socket limit.
239	Default value is 0 (preserve system defaults).
240
241sync_ports - INTEGER
242	default 1
243
244	The number of threads that master and backup servers can use for
245	sync traffic. Every thread will use single UDP port, thread 0 will
246	use the default port 8848 while last thread will use port
247	8848+sync_ports-1.
248
249snat_reroute - BOOLEAN
250	0 - disabled
251	not 0 - enabled (default)
252
253	If enabled, recalculate the route of SNATed packets from
254	realservers so that they are routed as if they originate from the
255	director. Otherwise they are routed as if they are forwarded by the
256	director.
257
258	If policy routing is in effect then it is possible that the route
259	of a packet originating from a director is routed differently to a
260	packet being forwarded by the director.
261
262	If policy routing is not in effect then the recalculated route will
263	always be the same as the original route so it is an optimisation
264	to disable snat_reroute and avoid the recalculation.
265
266sync_persist_mode - INTEGER
267	default 0
268
269	Controls the synchronisation of connections when using persistence
270
271	0: All types of connections are synchronised
272	1: Attempt to reduce the synchronisation traffic depending on
273	the connection type. For persistent services avoid synchronisation
274	for normal connections, do it only for persistence templates.
275	In such case, for TCP and SCTP it may need enabling sloppy_tcp and
276	sloppy_sctp flags on backup servers. For non-persistent services
277	such optimization is not applied, mode 0 is assumed.
278
279sync_version - INTEGER
280	default 1
281
282	The version of the synchronisation protocol used when sending
283	synchronisation messages.
284
285	0 selects the original synchronisation protocol (version 0). This
286	should be used when sending synchronisation messages to a legacy
287	system that only understands the original synchronisation protocol.
288
289	1 selects the current synchronisation protocol (version 1). This
290	should be used where possible.
291
292	Kernels with this sync_version entry are able to receive messages
293	of both version 1 and version 2 of the synchronisation protocol.
294