[linux-block.git] / Documentation / networking / ipvs-sysctl.rst

.. SPDX-License-Identifier: GPL-2.0

===========
IPvs-sysctl
===========

/proc/sys/net/ipv4/vs/* Variables:
==================================

am_droprate - INTEGER
	default 10

	It sets the always mode drop rate, which is used in the mode 3
	of the drop_rate defense.

amemthresh - INTEGER
	default 1024

	It sets the available memory threshold (in pages), which is
	used in the automatic modes of defense. When there is no
	enough available memory, the respective strategy will be
	enabled and the variable is automatically set to 2, otherwise
	the strategy is disabled and the variable is  set  to 1.

backup_only - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	If set, disable the director function while the server is
	in backup mode to avoid packet loops for DR/TUN methods.

conn_reuse_mode - INTEGER
	1 - default

	Controls how ipvs will deal with connections that are detected
	port reuse. It is a bitmap, with the values being:

	0: disable any special handling on port reuse. The new
	connection will be delivered to the same real server that was
	servicing the previous connection.

	bit 1: enable rescheduling of new connections when it is safe.
	That is, whenever expire_nodest_conn and for TCP sockets, when
	the connection is in TIME_WAIT state (which is only possible if
	you use NAT mode).

	bit 2: it is bit 1 plus, for TCP connections, when connections
	are in FIN_WAIT state, as this is the last state seen by load
	balancer in Direct Routing mode. This bit helps on adding new
	real servers to a very busy cluster.

conntrack - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	If set, maintain connection tracking entries for
	connections handled by IPVS.

	This should be enabled if connections handled by IPVS are to be
	also handled by stateful firewall rules. That is, iptables rules
	that make use of connection tracking.  It is a performance
	optimisation to disable this setting otherwise.

	Connections handled by the IPVS FTP application module
	will have connection tracking entries regardless of this setting.

	Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled.

cache_bypass - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	If it is enabled, forward packets to the original destination
	directly when no cache server is available and destination
	address is not local (iph->daddr is RTN_UNICAST). It is mostly
	used in transparent web cache cluster.

debug_level - INTEGER
	- 0          - transmission error messages (default)
	- 1          - non-fatal error messages
	- 2          - configuration
	- 3          - destination trash
	- 4          - drop entry
	- 5          - service lookup
	- 6          - scheduling
	- 7          - connection new/expire, lookup and synchronization
	- 8          - state transition
	- 9          - binding destination, template checks and applications
	- 10         - IPVS packet transmission
	- 11         - IPVS packet handling (ip_vs_in/ip_vs_out)
	- 12 or more - packet traversal

	Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled.

	Higher debugging levels include the messages for lower debugging
	levels, so setting debug level 2, includes level 0, 1 and 2
	messages. Thus, logging becomes more and more verbose the higher
	the level.

drop_entry - INTEGER
	- 0  - disabled (default)

	The drop_entry defense is to randomly drop entries in the
	connection hash table, just in order to collect back some
	memory for new connections. In the current code, the
	drop_entry procedure can be activated every second, then it
	randomly scans 1/32 of the whole and drops entries that are in
	the SYN-RECV/SYNACK state, which should be effective against
	syn-flooding attack.

	The valid values of drop_entry are from 0 to 3, where 0 means
	that this strategy is always disabled, 1 and 2 mean automatic
	modes (when there is no enough available memory, the strategy
	is enabled and the variable is automatically set to 2,
	otherwise the strategy is disabled and the variable is set to
	1), and 3 means that the strategy is always enabled.

drop_packet - INTEGER
	- 0  - disabled (default)

	The drop_packet defense is designed to drop 1/rate packets
	before forwarding them to real servers. If the rate is 1, then
	drop all the incoming packets.

	The value definition is the same as that of the drop_entry. In
	the automatic mode, the rate is determined by the follow
	formula: rate = amemthresh / (amemthresh - available_memory)
	when available memory is less than the available memory
	threshold. When the mode 3 is set, the always mode drop rate
	is controlled by the /proc/sys/net/ipv4/vs/am_droprate.

est_cpulist - CPULIST
	Allowed	CPUs for estimation kthreads

	Syntax: standard cpulist format
	empty list - stop kthread tasks and estimation
	default - the system's housekeeping CPUs for kthreads

	Example:
	"all": all possible CPUs
	"0-N": all possible CPUs, N denotes last CPU number
	"0,1-N:1/2": first and all CPUs with odd number
	"": empty list

est_nice - INTEGER
	default 0
	Valid range: -20 (more favorable) .. 19 (less favorable)

	Niceness value to use for the estimation kthreads (scheduling
	priority)

expire_nodest_conn - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	The default value is 0, the load balancer will silently drop
	packets when its destination server is not available. It may
	be useful, when user-space monitoring program deletes the
	destination server (because of server overload or wrong
	detection) and add back the server later, and the connections
	to the server can continue.

	If this feature is enabled, the load balancer will expire the
	connection immediately when a packet arrives and its
	destination server is not available, then the client program
	will be notified that the connection is closed. This is
	equivalent to the feature some people requires to flush
	connections when its destination is not available.

expire_quiescent_template - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	When set to a non-zero value, the load balancer will expire
	persistent templates when the destination server is quiescent.
	This may be useful, when a user makes a destination server
	quiescent by setting its weight to 0 and it is desired that
	subsequent otherwise persistent connections are sent to a
	different destination server.  By default new persistent
	connections are allowed to quiescent destination servers.

	If this feature is enabled, the load balancer will expire the
	persistence template if it is to be used to schedule a new
	connection and the destination server is quiescent.

ignore_tunneled - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	If set, ipvs will set the ipvs_property on all packets which are of
	unrecognized protocols.  This prevents us from routing tunneled
	protocols like ipip, which is useful to prevent rescheduling
	packets that have been tunneled to the ipvs host (i.e. to prevent
	ipvs routing loops when ipvs is also acting as a real server).

nat_icmp_send - BOOLEAN
	- 0 - disabled (default)
	- not 0 - enabled

	It controls sending icmp error messages (ICMP_DEST_UNREACH)
	for VS/NAT when the load balancer receives packets from real
	servers but the connection entries don't exist.

pmtu_disc - BOOLEAN
	- 0 - disabled
	- not 0 - enabled (default)

	By default, reject with FRAG_NEEDED all DF packets that exceed
	the PMTU, irrespective of the forwarding method. For TUN method
	the flag can be disabled to fragment such packets.

secure_tcp - INTEGER
	- 0  - disabled (default)

	The secure_tcp defense is to use a more complicated TCP state
	transition table. For VS/NAT, it also delays entering the
	TCP ESTABLISHED state until the three way handshake is completed.

	The value definition is the same as that of drop_entry and
	drop_packet.

sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period
	default 3 50

	It sets synchronization threshold, which is the minimum number
	of incoming packets that a connection needs to receive before
	the connection will be synchronized. A connection will be
	synchronized, every time the number of its incoming packets
	modulus sync_period equals the threshold. The range of the
	threshold is from 0 to sync_period.

	When sync_period and sync_refresh_period are 0, send sync only
	for state changes or only once when pkts matches sync_threshold

sync_refresh_period - UNSIGNED INTEGER
	default 0

	In seconds, difference in reported connection timer that triggers
	new sync message. It can be used to avoid sync messages for the
	specified period (or half of the connection timeout if it is lower)
	if connection state is not changed since last sync.

	This is useful for normal connections with high traffic to reduce
	sync rate. Additionally, retry sync_retries times with period of
	sync_refresh_period/8.

sync_retries - INTEGER
	default 0

	Defines sync retries with period of sync_refresh_period/8. Useful
	to protect against loss of sync messages. The range of the
	sync_retries is from 0 to 3.

sync_qlen_max - UNSIGNED LONG

	Hard limit for queued sync messages that are not sent yet. It
	defaults to 1/32 of the memory pages but actually represents
	number of messages. It will protect us from allocating large
	parts of memory when the sending rate is lower than the queuing
	rate.

sync_sock_size - INTEGER
	default 0

	Configuration of SNDBUF (master) or RCVBUF (slave) socket limit.
	Default value is 0 (preserve system defaults).

sync_ports - INTEGER
	default 1

	The number of threads that master and backup servers can use for
	sync traffic. Every thread will use single UDP port, thread 0 will
	use the default port 8848 while last thread will use port
	8848+sync_ports-1.

snat_reroute - BOOLEAN
	- 0 - disabled
	- not 0 - enabled (default)

	If enabled, recalculate the route of SNATed packets from
	realservers so that they are routed as if they originate from the
	director. Otherwise they are routed as if they are forwarded by the
	director.

	If policy routing is in effect then it is possible that the route
	of a packet originating from a director is routed differently to a
	packet being forwarded by the director.

	If policy routing is not in effect then the recalculated route will
	always be the same as the original route so it is an optimisation
	to disable snat_reroute and avoid the recalculation.

sync_persist_mode - INTEGER
	default 0

	Controls the synchronisation of connections when using persistence

	0: All types of connections are synchronised

	1: Attempt to reduce the synchronisation traffic depending on
	the connection type. For persistent services avoid synchronisation
	for normal connections, do it only for persistence templates.
	In such case, for TCP and SCTP it may need enabling sloppy_tcp and
	sloppy_sctp flags on backup servers. For non-persistent services
	such optimization is not applied, mode 0 is assumed.

sync_version - INTEGER
	default 1

	The version of the synchronisation protocol used when sending
	synchronisation messages.

	0 selects the original synchronisation protocol (version 0). This
	should be used when sending synchronisation messages to a legacy
	system that only understands the original synchronisation protocol.

	1 selects the current synchronisation protocol (version 1). This
	should be used where possible.

	Kernels with this sync_version entry are able to receive messages
	of both version 1 and version 2 of the synchronisation protocol.

run_estimation - BOOLEAN
	0 - disabled
	not 0 - enabled (default)

	If disabled, the estimation will be suspended and kthread tasks
	stopped.

	You can always re-enable estimation by setting this value to 1.
	But be careful, the first estimation after re-enable is not
	accurate.
Commit	Line	Data
82a07bf3 MCC	1	.. SPDX-License-Identifier: GPL-2.0
	2
	3	===========
	4	IPvs-sysctl
	5	===========
	6
6ce1669f	7	/proc/sys/net/ipv4/vs/* Variables:
82a07bf3	8	==================================
6ce1669f H	9
6ce1669f H	10	am_droprate - INTEGER
82a07bf3	11	default 10
6ce1669f	12
82a07bf3 MCC	13	It sets the always mode drop rate, which is used in the mode 3
82a07bf3 MCC	14	of the drop_rate defense.
6ce1669f H	15
6ce1669f H	16	amemthresh - INTEGER
82a07bf3	17	default 1024
6ce1669f	18
82a07bf3 MCC	19	It sets the available memory threshold (in pages), which is
	20	used in the automatic modes of defense. When there is no
	21	enough available memory, the respective strategy will be
	22	enabled and the variable is automatically set to 2, otherwise
	23	the strategy is disabled and the variable is set to 1.
6ce1669f	24
0c12582f	25	backup_only - BOOLEAN
82a07bf3 MCC	26	- 0 - disabled (default)
82a07bf3 MCC	27	- not 0 - enabled
0c12582f JA	28
	29	If set, disable the director function while the server is
	30	in backup mode to avoid packet loops for DR/TUN methods.
	31
d752c364 MRL	32	conn_reuse_mode - INTEGER
	33	1 - default
	34
	35	Controls how ipvs will deal with connections that are detected
	36	port reuse. It is a bitmap, with the values being:
	37
	38	0: disable any special handling on port reuse. The new
	39	connection will be delivered to the same real server that was
c95c0783	40	servicing the previous connection.
d752c364 MRL	41
	42	bit 1: enable rescheduling of new connections when it is safe.
	43	That is, whenever expire_nodest_conn and for TCP sockets, when
	44	the connection is in TIME_WAIT state (which is only possible if
	45	you use NAT mode).
	46
	47	bit 2: it is bit 1 plus, for TCP connections, when connections
	48	are in FIN_WAIT state, as this is the last state seen by load
	49	balancer in Direct Routing mode. This bit helps on adding new
	50	real servers to a very busy cluster.
	51
7e777dd4	52	conntrack - BOOLEAN
82a07bf3 MCC	53	- 0 - disabled (default)
82a07bf3 MCC	54	- not 0 - enabled
7e777dd4 SH	55
	56	If set, maintain connection tracking entries for
	57	connections handled by IPVS.
	58
	59	This should be enabled if connections handled by IPVS are to be
	60	also handled by stateful firewall rules. That is, iptables rules
	61	that make use of connection tracking. It is a performance
	62	optimisation to disable this setting otherwise.
	63
	64	Connections handled by the IPVS FTP application module
	65	will have connection tracking entries regardless of this setting.
	66
40cb1f9b	67	Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled.
7e777dd4	68
6ce1669f	69	cache_bypass - BOOLEAN
82a07bf3 MCC	70	- 0 - disabled (default)
82a07bf3 MCC	71	- not 0 - enabled
6ce1669f	72
82a07bf3 MCC	73	If it is enabled, forward packets to the original destination
	74	directly when no cache server is available and destination
	75	address is not local (iph->daddr is RTN_UNICAST). It is mostly
	76	used in transparent web cache cluster.
6ce1669f H	77
6ce1669f H	78	debug_level - INTEGER
82a07bf3 MCC	79	- 0 - transmission error messages (default)
	80	- 1 - non-fatal error messages
	81	- 2 - configuration
	82	- 3 - destination trash
	83	- 4 - drop entry
	84	- 5 - service lookup
	85	- 6 - scheduling
	86	- 7 - connection new/expire, lookup and synchronization
	87	- 8 - state transition
	88	- 9 - binding destination, template checks and applications
	89	- 10 - IPVS packet transmission
	90	- 11 - IPVS packet handling (ip_vs_in/ip_vs_out)
	91	- 12 or more - packet traversal
6ce1669f	92
40cb1f9b	93	Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled.
6ce1669f H	94
	95	Higher debugging levels include the messages for lower debugging
	96	levels, so setting debug level 2, includes level 0, 1 and 2
	97	messages. Thus, logging becomes more and more verbose the higher
	98	the level.
	99
	100	drop_entry - INTEGER
82a07bf3 MCC	101	- 0 - disabled (default)
	102
	103	The drop_entry defense is to randomly drop entries in the
	104	connection hash table, just in order to collect back some
	105	memory for new connections. In the current code, the
	106	drop_entry procedure can be activated every second, then it
	107	randomly scans 1/32 of the whole and drops entries that are in
	108	the SYN-RECV/SYNACK state, which should be effective against
	109	syn-flooding attack.
	110
	111	The valid values of drop_entry are from 0 to 3, where 0 means
	112	that this strategy is always disabled, 1 and 2 mean automatic
	113	modes (when there is no enough available memory, the strategy
	114	is enabled and the variable is automatically set to 2,
	115	otherwise the strategy is disabled and the variable is set to
474112d5	116	1), and 3 means that the strategy is always enabled.
6ce1669f H	117
6ce1669f H	118	drop_packet - INTEGER
82a07bf3	119	- 0 - disabled (default)
6ce1669f	120
82a07bf3 MCC	121	The drop_packet defense is designed to drop 1/rate packets
	122	before forwarding them to real servers. If the rate is 1, then
	123	drop all the incoming packets.
6ce1669f	124
82a07bf3 MCC	125	The value definition is the same as that of the drop_entry. In
	126	the automatic mode, the rate is determined by the follow
	127	formula: rate = amemthresh / (amemthresh - available_memory)
	128	when available memory is less than the available memory
	129	threshold. When the mode 3 is set, the always mode drop rate
	130	is controlled by the /proc/sys/net/ipv4/vs/am_droprate.
6ce1669f	131
f0be83d5 JA	132	est_cpulist - CPULIST
	133	Allowed CPUs for estimation kthreads
	134
	135	Syntax: standard cpulist format
	136	empty list - stop kthread tasks and estimation
	137	default - the system's housekeeping CPUs for kthreads
	138
	139	Example:
	140	"all": all possible CPUs
	141	"0-N": all possible CPUs, N denotes last CPU number
	142	"0,1-N:1/2": first and all CPUs with odd number
	143	"": empty list
	144
	145	est_nice - INTEGER
	146	default 0
	147	Valid range: -20 (more favorable) .. 19 (less favorable)
	148
	149	Niceness value to use for the estimation kthreads (scheduling
	150	priority)
	151
6ce1669f	152	expire_nodest_conn - BOOLEAN
82a07bf3 MCC	153	- 0 - disabled (default)
	154	- not 0 - enabled
	155
	156	The default value is 0, the load balancer will silently drop
	157	packets when its destination server is not available. It may
	158	be useful, when user-space monitoring program deletes the
	159	destination server (because of server overload or wrong
	160	detection) and add back the server later, and the connections
	161	to the server can continue.
	162
	163	If this feature is enabled, the load balancer will expire the
	164	connection immediately when a packet arrives and its
	165	destination server is not available, then the client program
	166	will be notified that the connection is closed. This is
	167	equivalent to the feature some people requires to flush
	168	connections when its destination is not available.
6ce1669f H	169
6ce1669f H	170	expire_quiescent_template - BOOLEAN
82a07bf3 MCC	171	- 0 - disabled (default)
82a07bf3 MCC	172	- not 0 - enabled
6ce1669f H	173
	174	When set to a non-zero value, the load balancer will expire
	175	persistent templates when the destination server is quiescent.
	176	This may be useful, when a user makes a destination server
	177	quiescent by setting its weight to 0 and it is desired that
	178	subsequent otherwise persistent connections are sent to a
	179	different destination server. By default new persistent
	180	connections are allowed to quiescent destination servers.
	181
	182	If this feature is enabled, the load balancer will expire the
	183	persistence template if it is to be used to schedule a new
	184	connection and the destination server is quiescent.
	185
4e478098	186	ignore_tunneled - BOOLEAN
82a07bf3 MCC	187	- 0 - disabled (default)
82a07bf3 MCC	188	- not 0 - enabled
4e478098 AG	189
	190	If set, ipvs will set the ipvs_property on all packets which are of
	191	unrecognized protocols. This prevents us from routing tunneled
	192	protocols like ipip, which is useful to prevent rescheduling
	193	packets that have been tunneled to the ipvs host (i.e. to prevent
	194	ipvs routing loops when ipvs is also acting as a real server).
	195
6ce1669f	196	nat_icmp_send - BOOLEAN
82a07bf3 MCC	197	- 0 - disabled (default)
82a07bf3 MCC	198	- not 0 - enabled
6ce1669f	199
82a07bf3 MCC	200	It controls sending icmp error messages (ICMP_DEST_UNREACH)
	201	for VS/NAT when the load balancer receives packets from real
	202	servers but the connection entries don't exist.
6ce1669f	203
3c679cba	204	pmtu_disc - BOOLEAN
82a07bf3 MCC	205	- 0 - disabled
82a07bf3 MCC	206	- not 0 - enabled (default)
3c679cba HL	207
	208	By default, reject with FRAG_NEEDED all DF packets that exceed
	209	the PMTU, irrespective of the forwarding method. For TUN method
	210	the flag can be disabled to fragment such packets.
	211
6ce1669f	212	secure_tcp - INTEGER
82a07bf3	213	- 0 - disabled (default)
6ce1669f	214
325aadc8 SH	215	The secure_tcp defense is to use a more complicated TCP state
	216	transition table. For VS/NAT, it also delays entering the
	217	TCP ESTABLISHED state until the three way handshake is completed.
6ce1669f	218
82a07bf3 MCC	219	The value definition is the same as that of drop_entry and
82a07bf3 MCC	220	drop_packet.
6ce1669f	221
a2f346d8 HL	222	sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period
	223	default 3 50
	224
	225	It sets synchronization threshold, which is the minimum number
	226	of incoming packets that a connection needs to receive before
	227	the connection will be synchronized. A connection will be
	228	synchronized, every time the number of its incoming packets
	229	modulus sync_period equals the threshold. The range of the
	230	threshold is from 0 to sync_period.
	231
	232	When sync_period and sync_refresh_period are 0, send sync only
	233	for state changes or only once when pkts matches sync_threshold
	234
	235	sync_refresh_period - UNSIGNED INTEGER
	236	default 0
	237
	238	In seconds, difference in reported connection timer that triggers
	239	new sync message. It can be used to avoid sync messages for the
	240	specified period (or half of the connection timeout if it is lower)
	241	if connection state is not changed since last sync.
	242
	243	This is useful for normal connections with high traffic to reduce
	244	sync rate. Additionally, retry sync_retries times with period of
	245	sync_refresh_period/8.
	246
	247	sync_retries - INTEGER
	248	default 0
	249
	250	Defines sync retries with period of sync_refresh_period/8. Useful
	251	to protect against loss of sync messages. The range of the
	252	sync_retries is from 0 to 3.
7e777dd4	253
237e5722 HL	254	sync_qlen_max - UNSIGNED LONG
	255
	256	Hard limit for queued sync messages that are not sent yet. It
	257	defaults to 1/32 of the memory pages but actually represents
	258	number of messages. It will protect us from allocating large
	259	parts of memory when the sending rate is lower than the queuing
	260	rate.
	261
	262	sync_sock_size - INTEGER
	263	default 0
	264
	265	Configuration of SNDBUF (master) or RCVBUF (slave) socket limit.
	266	Default value is 0 (preserve system defaults).
	267
24b44415 HL	268	sync_ports - INTEGER
	269	default 1
	270
	271	The number of threads that master and backup servers can use for
	272	sync traffic. Every thread will use single UDP port, thread 0 will
	273	use the default port 8848 while last thread will use port
	274	8848+sync_ports-1.
	275
7e777dd4	276	snat_reroute - BOOLEAN
82a07bf3 MCC	277	- 0 - disabled
82a07bf3 MCC	278	- not 0 - enabled (default)
7e777dd4 SH	279
	280	If enabled, recalculate the route of SNATed packets from
	281	realservers so that they are routed as if they originate from the
	282	director. Otherwise they are routed as if they are forwarded by the
	283	director.
	284
	285	If policy routing is in effect then it is possible that the route
	286	of a packet originating from a director is routed differently to a
	287	packet being forwarded by the director.
	288
	289	If policy routing is not in effect then the recalculated route will
	290	always be the same as the original route so it is an optimisation
	291	to disable snat_reroute and avoid the recalculation.
	292
4d0c875d JA	293	sync_persist_mode - INTEGER
	294	default 0
	295
	296	Controls the synchronisation of connections when using persistence
	297
	298	0: All types of connections are synchronised
82a07bf3	299
4d0c875d JA	300	1: Attempt to reduce the synchronisation traffic depending on
	301	the connection type. For persistent services avoid synchronisation
	302	for normal connections, do it only for persistence templates.
	303	In such case, for TCP and SCTP it may need enabling sloppy_tcp and
	304	sloppy_sctp flags on backup servers. For non-persistent services
	305	such optimization is not applied, mode 0 is assumed.
	306
7e777dd4 SH	307	sync_version - INTEGER
	308	default 1
	309
	310	The version of the synchronisation protocol used when sending
	311	synchronisation messages.
	312
	313	0 selects the original synchronisation protocol (version 0). This
	314	should be used when sending synchronisation messages to a legacy
	315	system that only understands the original synchronisation protocol.
	316
	317	1 selects the current synchronisation protocol (version 1). This
	318	should be used where possible.
	319
	320	Kernels with this sync_version entry are able to receive messages
	321	of both version 1 and version 2 of the synchronisation protocol.
2232642e DL	322
	323	run_estimation - BOOLEAN
	324	0 - disabled
	325	not 0 - enabled (default)
	326
144361c1 JA	327	If disabled, the estimation will be suspended and kthread tasks
144361c1 JA	328	stopped.
2232642e DL	329
	330	You can always re-enable estimation by setting this value to 1.
	331	But be careful, the first estimation after re-enable is not
	332	accurate.