Commit | Line | Data |
---|---|---|
82a07bf3 MCC |
1 | .. SPDX-License-Identifier: GPL-2.0 |
2 | ||
3 | =========== | |
4 | IPvs-sysctl | |
5 | =========== | |
6 | ||
6ce1669f | 7 | /proc/sys/net/ipv4/vs/* Variables: |
82a07bf3 | 8 | ================================== |
6ce1669f H |
9 | |
10 | am_droprate - INTEGER | |
82a07bf3 | 11 | default 10 |
6ce1669f | 12 | |
82a07bf3 MCC |
13 | It sets the always mode drop rate, which is used in the mode 3 |
14 | of the drop_rate defense. | |
6ce1669f H |
15 | |
16 | amemthresh - INTEGER | |
82a07bf3 | 17 | default 1024 |
6ce1669f | 18 | |
82a07bf3 MCC |
19 | It sets the available memory threshold (in pages), which is |
20 | used in the automatic modes of defense. When there is no | |
21 | enough available memory, the respective strategy will be | |
22 | enabled and the variable is automatically set to 2, otherwise | |
23 | the strategy is disabled and the variable is set to 1. | |
6ce1669f | 24 | |
0c12582f | 25 | backup_only - BOOLEAN |
82a07bf3 MCC |
26 | - 0 - disabled (default) |
27 | - not 0 - enabled | |
0c12582f JA |
28 | |
29 | If set, disable the director function while the server is | |
30 | in backup mode to avoid packet loops for DR/TUN methods. | |
31 | ||
d752c364 MRL |
32 | conn_reuse_mode - INTEGER |
33 | 1 - default | |
34 | ||
35 | Controls how ipvs will deal with connections that are detected | |
36 | port reuse. It is a bitmap, with the values being: | |
37 | ||
38 | 0: disable any special handling on port reuse. The new | |
39 | connection will be delivered to the same real server that was | |
c95c0783 | 40 | servicing the previous connection. |
d752c364 MRL |
41 | |
42 | bit 1: enable rescheduling of new connections when it is safe. | |
43 | That is, whenever expire_nodest_conn and for TCP sockets, when | |
44 | the connection is in TIME_WAIT state (which is only possible if | |
45 | you use NAT mode). | |
46 | ||
47 | bit 2: it is bit 1 plus, for TCP connections, when connections | |
48 | are in FIN_WAIT state, as this is the last state seen by load | |
49 | balancer in Direct Routing mode. This bit helps on adding new | |
50 | real servers to a very busy cluster. | |
51 | ||
7e777dd4 | 52 | conntrack - BOOLEAN |
82a07bf3 MCC |
53 | - 0 - disabled (default) |
54 | - not 0 - enabled | |
7e777dd4 SH |
55 | |
56 | If set, maintain connection tracking entries for | |
57 | connections handled by IPVS. | |
58 | ||
59 | This should be enabled if connections handled by IPVS are to be | |
60 | also handled by stateful firewall rules. That is, iptables rules | |
61 | that make use of connection tracking. It is a performance | |
62 | optimisation to disable this setting otherwise. | |
63 | ||
64 | Connections handled by the IPVS FTP application module | |
65 | will have connection tracking entries regardless of this setting. | |
66 | ||
40cb1f9b | 67 | Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled. |
7e777dd4 | 68 | |
6ce1669f | 69 | cache_bypass - BOOLEAN |
82a07bf3 MCC |
70 | - 0 - disabled (default) |
71 | - not 0 - enabled | |
6ce1669f | 72 | |
82a07bf3 MCC |
73 | If it is enabled, forward packets to the original destination |
74 | directly when no cache server is available and destination | |
75 | address is not local (iph->daddr is RTN_UNICAST). It is mostly | |
76 | used in transparent web cache cluster. | |
6ce1669f H |
77 | |
78 | debug_level - INTEGER | |
82a07bf3 MCC |
79 | - 0 - transmission error messages (default) |
80 | - 1 - non-fatal error messages | |
81 | - 2 - configuration | |
82 | - 3 - destination trash | |
83 | - 4 - drop entry | |
84 | - 5 - service lookup | |
85 | - 6 - scheduling | |
86 | - 7 - connection new/expire, lookup and synchronization | |
87 | - 8 - state transition | |
88 | - 9 - binding destination, template checks and applications | |
89 | - 10 - IPVS packet transmission | |
90 | - 11 - IPVS packet handling (ip_vs_in/ip_vs_out) | |
91 | - 12 or more - packet traversal | |
6ce1669f | 92 | |
40cb1f9b | 93 | Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled. |
6ce1669f H |
94 | |
95 | Higher debugging levels include the messages for lower debugging | |
96 | levels, so setting debug level 2, includes level 0, 1 and 2 | |
97 | messages. Thus, logging becomes more and more verbose the higher | |
98 | the level. | |
99 | ||
100 | drop_entry - INTEGER | |
82a07bf3 MCC |
101 | - 0 - disabled (default) |
102 | ||
103 | The drop_entry defense is to randomly drop entries in the | |
104 | connection hash table, just in order to collect back some | |
105 | memory for new connections. In the current code, the | |
106 | drop_entry procedure can be activated every second, then it | |
107 | randomly scans 1/32 of the whole and drops entries that are in | |
108 | the SYN-RECV/SYNACK state, which should be effective against | |
109 | syn-flooding attack. | |
110 | ||
111 | The valid values of drop_entry are from 0 to 3, where 0 means | |
112 | that this strategy is always disabled, 1 and 2 mean automatic | |
113 | modes (when there is no enough available memory, the strategy | |
114 | is enabled and the variable is automatically set to 2, | |
115 | otherwise the strategy is disabled and the variable is set to | |
474112d5 | 116 | 1), and 3 means that the strategy is always enabled. |
6ce1669f H |
117 | |
118 | drop_packet - INTEGER | |
82a07bf3 | 119 | - 0 - disabled (default) |
6ce1669f | 120 | |
82a07bf3 MCC |
121 | The drop_packet defense is designed to drop 1/rate packets |
122 | before forwarding them to real servers. If the rate is 1, then | |
123 | drop all the incoming packets. | |
6ce1669f | 124 | |
82a07bf3 MCC |
125 | The value definition is the same as that of the drop_entry. In |
126 | the automatic mode, the rate is determined by the follow | |
127 | formula: rate = amemthresh / (amemthresh - available_memory) | |
128 | when available memory is less than the available memory | |
129 | threshold. When the mode 3 is set, the always mode drop rate | |
130 | is controlled by the /proc/sys/net/ipv4/vs/am_droprate. | |
6ce1669f | 131 | |
f0be83d5 JA |
132 | est_cpulist - CPULIST |
133 | Allowed CPUs for estimation kthreads | |
134 | ||
135 | Syntax: standard cpulist format | |
136 | empty list - stop kthread tasks and estimation | |
137 | default - the system's housekeeping CPUs for kthreads | |
138 | ||
139 | Example: | |
140 | "all": all possible CPUs | |
141 | "0-N": all possible CPUs, N denotes last CPU number | |
142 | "0,1-N:1/2": first and all CPUs with odd number | |
143 | "": empty list | |
144 | ||
145 | est_nice - INTEGER | |
146 | default 0 | |
147 | Valid range: -20 (more favorable) .. 19 (less favorable) | |
148 | ||
149 | Niceness value to use for the estimation kthreads (scheduling | |
150 | priority) | |
151 | ||
6ce1669f | 152 | expire_nodest_conn - BOOLEAN |
82a07bf3 MCC |
153 | - 0 - disabled (default) |
154 | - not 0 - enabled | |
155 | ||
156 | The default value is 0, the load balancer will silently drop | |
157 | packets when its destination server is not available. It may | |
158 | be useful, when user-space monitoring program deletes the | |
159 | destination server (because of server overload or wrong | |
160 | detection) and add back the server later, and the connections | |
161 | to the server can continue. | |
162 | ||
163 | If this feature is enabled, the load balancer will expire the | |
164 | connection immediately when a packet arrives and its | |
165 | destination server is not available, then the client program | |
166 | will be notified that the connection is closed. This is | |
167 | equivalent to the feature some people requires to flush | |
168 | connections when its destination is not available. | |
6ce1669f H |
169 | |
170 | expire_quiescent_template - BOOLEAN | |
82a07bf3 MCC |
171 | - 0 - disabled (default) |
172 | - not 0 - enabled | |
6ce1669f H |
173 | |
174 | When set to a non-zero value, the load balancer will expire | |
175 | persistent templates when the destination server is quiescent. | |
176 | This may be useful, when a user makes a destination server | |
177 | quiescent by setting its weight to 0 and it is desired that | |
178 | subsequent otherwise persistent connections are sent to a | |
179 | different destination server. By default new persistent | |
180 | connections are allowed to quiescent destination servers. | |
181 | ||
182 | If this feature is enabled, the load balancer will expire the | |
183 | persistence template if it is to be used to schedule a new | |
184 | connection and the destination server is quiescent. | |
185 | ||
4e478098 | 186 | ignore_tunneled - BOOLEAN |
82a07bf3 MCC |
187 | - 0 - disabled (default) |
188 | - not 0 - enabled | |
4e478098 AG |
189 | |
190 | If set, ipvs will set the ipvs_property on all packets which are of | |
191 | unrecognized protocols. This prevents us from routing tunneled | |
192 | protocols like ipip, which is useful to prevent rescheduling | |
193 | packets that have been tunneled to the ipvs host (i.e. to prevent | |
194 | ipvs routing loops when ipvs is also acting as a real server). | |
195 | ||
6ce1669f | 196 | nat_icmp_send - BOOLEAN |
82a07bf3 MCC |
197 | - 0 - disabled (default) |
198 | - not 0 - enabled | |
6ce1669f | 199 | |
82a07bf3 MCC |
200 | It controls sending icmp error messages (ICMP_DEST_UNREACH) |
201 | for VS/NAT when the load balancer receives packets from real | |
202 | servers but the connection entries don't exist. | |
6ce1669f | 203 | |
3c679cba | 204 | pmtu_disc - BOOLEAN |
82a07bf3 MCC |
205 | - 0 - disabled |
206 | - not 0 - enabled (default) | |
3c679cba HL |
207 | |
208 | By default, reject with FRAG_NEEDED all DF packets that exceed | |
209 | the PMTU, irrespective of the forwarding method. For TUN method | |
210 | the flag can be disabled to fragment such packets. | |
211 | ||
6ce1669f | 212 | secure_tcp - INTEGER |
82a07bf3 | 213 | - 0 - disabled (default) |
6ce1669f | 214 | |
325aadc8 SH |
215 | The secure_tcp defense is to use a more complicated TCP state |
216 | transition table. For VS/NAT, it also delays entering the | |
217 | TCP ESTABLISHED state until the three way handshake is completed. | |
6ce1669f | 218 | |
82a07bf3 MCC |
219 | The value definition is the same as that of drop_entry and |
220 | drop_packet. | |
6ce1669f | 221 | |
a2f346d8 HL |
222 | sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period |
223 | default 3 50 | |
224 | ||
225 | It sets synchronization threshold, which is the minimum number | |
226 | of incoming packets that a connection needs to receive before | |
227 | the connection will be synchronized. A connection will be | |
228 | synchronized, every time the number of its incoming packets | |
229 | modulus sync_period equals the threshold. The range of the | |
230 | threshold is from 0 to sync_period. | |
231 | ||
232 | When sync_period and sync_refresh_period are 0, send sync only | |
233 | for state changes or only once when pkts matches sync_threshold | |
234 | ||
235 | sync_refresh_period - UNSIGNED INTEGER | |
236 | default 0 | |
237 | ||
238 | In seconds, difference in reported connection timer that triggers | |
239 | new sync message. It can be used to avoid sync messages for the | |
240 | specified period (or half of the connection timeout if it is lower) | |
241 | if connection state is not changed since last sync. | |
242 | ||
243 | This is useful for normal connections with high traffic to reduce | |
244 | sync rate. Additionally, retry sync_retries times with period of | |
245 | sync_refresh_period/8. | |
246 | ||
247 | sync_retries - INTEGER | |
248 | default 0 | |
249 | ||
250 | Defines sync retries with period of sync_refresh_period/8. Useful | |
251 | to protect against loss of sync messages. The range of the | |
252 | sync_retries is from 0 to 3. | |
7e777dd4 | 253 | |
237e5722 HL |
254 | sync_qlen_max - UNSIGNED LONG |
255 | ||
256 | Hard limit for queued sync messages that are not sent yet. It | |
257 | defaults to 1/32 of the memory pages but actually represents | |
258 | number of messages. It will protect us from allocating large | |
259 | parts of memory when the sending rate is lower than the queuing | |
260 | rate. | |
261 | ||
262 | sync_sock_size - INTEGER | |
263 | default 0 | |
264 | ||
265 | Configuration of SNDBUF (master) or RCVBUF (slave) socket limit. | |
266 | Default value is 0 (preserve system defaults). | |
267 | ||
24b44415 HL |
268 | sync_ports - INTEGER |
269 | default 1 | |
270 | ||
271 | The number of threads that master and backup servers can use for | |
272 | sync traffic. Every thread will use single UDP port, thread 0 will | |
273 | use the default port 8848 while last thread will use port | |
274 | 8848+sync_ports-1. | |
275 | ||
7e777dd4 | 276 | snat_reroute - BOOLEAN |
82a07bf3 MCC |
277 | - 0 - disabled |
278 | - not 0 - enabled (default) | |
7e777dd4 SH |
279 | |
280 | If enabled, recalculate the route of SNATed packets from | |
281 | realservers so that they are routed as if they originate from the | |
282 | director. Otherwise they are routed as if they are forwarded by the | |
283 | director. | |
284 | ||
285 | If policy routing is in effect then it is possible that the route | |
286 | of a packet originating from a director is routed differently to a | |
287 | packet being forwarded by the director. | |
288 | ||
289 | If policy routing is not in effect then the recalculated route will | |
290 | always be the same as the original route so it is an optimisation | |
291 | to disable snat_reroute and avoid the recalculation. | |
292 | ||
4d0c875d JA |
293 | sync_persist_mode - INTEGER |
294 | default 0 | |
295 | ||
296 | Controls the synchronisation of connections when using persistence | |
297 | ||
298 | 0: All types of connections are synchronised | |
82a07bf3 | 299 | |
4d0c875d JA |
300 | 1: Attempt to reduce the synchronisation traffic depending on |
301 | the connection type. For persistent services avoid synchronisation | |
302 | for normal connections, do it only for persistence templates. | |
303 | In such case, for TCP and SCTP it may need enabling sloppy_tcp and | |
304 | sloppy_sctp flags on backup servers. For non-persistent services | |
305 | such optimization is not applied, mode 0 is assumed. | |
306 | ||
7e777dd4 SH |
307 | sync_version - INTEGER |
308 | default 1 | |
309 | ||
310 | The version of the synchronisation protocol used when sending | |
311 | synchronisation messages. | |
312 | ||
313 | 0 selects the original synchronisation protocol (version 0). This | |
314 | should be used when sending synchronisation messages to a legacy | |
315 | system that only understands the original synchronisation protocol. | |
316 | ||
317 | 1 selects the current synchronisation protocol (version 1). This | |
318 | should be used where possible. | |
319 | ||
320 | Kernels with this sync_version entry are able to receive messages | |
321 | of both version 1 and version 2 of the synchronisation protocol. | |
2232642e DL |
322 | |
323 | run_estimation - BOOLEAN | |
324 | 0 - disabled | |
325 | not 0 - enabled (default) | |
326 | ||
144361c1 JA |
327 | If disabled, the estimation will be suspended and kthread tasks |
328 | stopped. | |
2232642e DL |
329 | |
330 | You can always re-enable estimation by setting this value to 1. | |
331 | But be careful, the first estimation after re-enable is not | |
332 | accurate. |