Commit | Line | Data |
---|---|---|
6ce1669f H |
1 | /proc/sys/net/ipv4/vs/* Variables: |
2 | ||
3 | am_droprate - INTEGER | |
4 | default 10 | |
5 | ||
6 | It sets the always mode drop rate, which is used in the mode 3 | |
7 | of the drop_rate defense. | |
8 | ||
9 | amemthresh - INTEGER | |
10 | default 1024 | |
11 | ||
12 | It sets the available memory threshold (in pages), which is | |
13 | used in the automatic modes of defense. When there is no | |
14 | enough available memory, the respective strategy will be | |
15 | enabled and the variable is automatically set to 2, otherwise | |
16 | the strategy is disabled and the variable is set to 1. | |
17 | ||
0c12582f JA |
18 | backup_only - BOOLEAN |
19 | 0 - disabled (default) | |
20 | not 0 - enabled | |
21 | ||
22 | If set, disable the director function while the server is | |
23 | in backup mode to avoid packet loops for DR/TUN methods. | |
24 | ||
d752c364 MRL |
25 | conn_reuse_mode - INTEGER |
26 | 1 - default | |
27 | ||
28 | Controls how ipvs will deal with connections that are detected | |
29 | port reuse. It is a bitmap, with the values being: | |
30 | ||
31 | 0: disable any special handling on port reuse. The new | |
32 | connection will be delivered to the same real server that was | |
33 | servicing the previous connection. This will effectively | |
34 | disable expire_nodest_conn. | |
35 | ||
36 | bit 1: enable rescheduling of new connections when it is safe. | |
37 | That is, whenever expire_nodest_conn and for TCP sockets, when | |
38 | the connection is in TIME_WAIT state (which is only possible if | |
39 | you use NAT mode). | |
40 | ||
41 | bit 2: it is bit 1 plus, for TCP connections, when connections | |
42 | are in FIN_WAIT state, as this is the last state seen by load | |
43 | balancer in Direct Routing mode. This bit helps on adding new | |
44 | real servers to a very busy cluster. | |
45 | ||
7e777dd4 SH |
46 | conntrack - BOOLEAN |
47 | 0 - disabled (default) | |
48 | not 0 - enabled | |
49 | ||
50 | If set, maintain connection tracking entries for | |
51 | connections handled by IPVS. | |
52 | ||
53 | This should be enabled if connections handled by IPVS are to be | |
54 | also handled by stateful firewall rules. That is, iptables rules | |
55 | that make use of connection tracking. It is a performance | |
56 | optimisation to disable this setting otherwise. | |
57 | ||
58 | Connections handled by the IPVS FTP application module | |
59 | will have connection tracking entries regardless of this setting. | |
60 | ||
40cb1f9b | 61 | Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled. |
7e777dd4 | 62 | |
6ce1669f H |
63 | cache_bypass - BOOLEAN |
64 | 0 - disabled (default) | |
65 | not 0 - enabled | |
66 | ||
67 | If it is enabled, forward packets to the original destination | |
68 | directly when no cache server is available and destination | |
69 | address is not local (iph->daddr is RTN_UNICAST). It is mostly | |
70 | used in transparent web cache cluster. | |
71 | ||
72 | debug_level - INTEGER | |
73 | 0 - transmission error messages (default) | |
74 | 1 - non-fatal error messages | |
75 | 2 - configuration | |
76 | 3 - destination trash | |
77 | 4 - drop entry | |
78 | 5 - service lookup | |
79 | 6 - scheduling | |
80 | 7 - connection new/expire, lookup and synchronization | |
81 | 8 - state transition | |
82 | 9 - binding destination, template checks and applications | |
83 | 10 - IPVS packet transmission | |
84 | 11 - IPVS packet handling (ip_vs_in/ip_vs_out) | |
85 | 12 or more - packet traversal | |
86 | ||
40cb1f9b | 87 | Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled. |
6ce1669f H |
88 | |
89 | Higher debugging levels include the messages for lower debugging | |
90 | levels, so setting debug level 2, includes level 0, 1 and 2 | |
91 | messages. Thus, logging becomes more and more verbose the higher | |
92 | the level. | |
93 | ||
94 | drop_entry - INTEGER | |
95 | 0 - disabled (default) | |
96 | ||
97 | The drop_entry defense is to randomly drop entries in the | |
98 | connection hash table, just in order to collect back some | |
99 | memory for new connections. In the current code, the | |
100 | drop_entry procedure can be activated every second, then it | |
101 | randomly scans 1/32 of the whole and drops entries that are in | |
102 | the SYN-RECV/SYNACK state, which should be effective against | |
103 | syn-flooding attack. | |
104 | ||
105 | The valid values of drop_entry are from 0 to 3, where 0 means | |
106 | that this strategy is always disabled, 1 and 2 mean automatic | |
107 | modes (when there is no enough available memory, the strategy | |
108 | is enabled and the variable is automatically set to 2, | |
109 | otherwise the strategy is disabled and the variable is set to | |
110 | 1), and 3 means that that the strategy is always enabled. | |
111 | ||
112 | drop_packet - INTEGER | |
113 | 0 - disabled (default) | |
114 | ||
115 | The drop_packet defense is designed to drop 1/rate packets | |
116 | before forwarding them to real servers. If the rate is 1, then | |
117 | drop all the incoming packets. | |
118 | ||
119 | The value definition is the same as that of the drop_entry. In | |
120 | the automatic mode, the rate is determined by the follow | |
121 | formula: rate = amemthresh / (amemthresh - available_memory) | |
122 | when available memory is less than the available memory | |
123 | threshold. When the mode 3 is set, the always mode drop rate | |
124 | is controlled by the /proc/sys/net/ipv4/vs/am_droprate. | |
125 | ||
126 | expire_nodest_conn - BOOLEAN | |
127 | 0 - disabled (default) | |
128 | not 0 - enabled | |
129 | ||
130 | The default value is 0, the load balancer will silently drop | |
131 | packets when its destination server is not available. It may | |
132 | be useful, when user-space monitoring program deletes the | |
133 | destination server (because of server overload or wrong | |
134 | detection) and add back the server later, and the connections | |
135 | to the server can continue. | |
136 | ||
137 | If this feature is enabled, the load balancer will expire the | |
138 | connection immediately when a packet arrives and its | |
139 | destination server is not available, then the client program | |
140 | will be notified that the connection is closed. This is | |
141 | equivalent to the feature some people requires to flush | |
142 | connections when its destination is not available. | |
143 | ||
144 | expire_quiescent_template - BOOLEAN | |
145 | 0 - disabled (default) | |
146 | not 0 - enabled | |
147 | ||
148 | When set to a non-zero value, the load balancer will expire | |
149 | persistent templates when the destination server is quiescent. | |
150 | This may be useful, when a user makes a destination server | |
151 | quiescent by setting its weight to 0 and it is desired that | |
152 | subsequent otherwise persistent connections are sent to a | |
153 | different destination server. By default new persistent | |
154 | connections are allowed to quiescent destination servers. | |
155 | ||
156 | If this feature is enabled, the load balancer will expire the | |
157 | persistence template if it is to be used to schedule a new | |
158 | connection and the destination server is quiescent. | |
159 | ||
4e478098 AG |
160 | ignore_tunneled - BOOLEAN |
161 | 0 - disabled (default) | |
162 | not 0 - enabled | |
163 | ||
164 | If set, ipvs will set the ipvs_property on all packets which are of | |
165 | unrecognized protocols. This prevents us from routing tunneled | |
166 | protocols like ipip, which is useful to prevent rescheduling | |
167 | packets that have been tunneled to the ipvs host (i.e. to prevent | |
168 | ipvs routing loops when ipvs is also acting as a real server). | |
169 | ||
6ce1669f H |
170 | nat_icmp_send - BOOLEAN |
171 | 0 - disabled (default) | |
172 | not 0 - enabled | |
173 | ||
174 | It controls sending icmp error messages (ICMP_DEST_UNREACH) | |
175 | for VS/NAT when the load balancer receives packets from real | |
176 | servers but the connection entries don't exist. | |
177 | ||
178 | secure_tcp - INTEGER | |
179 | 0 - disabled (default) | |
180 | ||
325aadc8 SH |
181 | The secure_tcp defense is to use a more complicated TCP state |
182 | transition table. For VS/NAT, it also delays entering the | |
183 | TCP ESTABLISHED state until the three way handshake is completed. | |
6ce1669f | 184 | |
325aadc8 | 185 | The value definition is the same as that of drop_entry and |
6ce1669f H |
186 | drop_packet. |
187 | ||
188 | sync_threshold - INTEGER | |
189 | default 3 | |
190 | ||
191 | It sets synchronization threshold, which is the minimum number | |
192 | of incoming packets that a connection needs to receive before | |
193 | the connection will be synchronized. A connection will be | |
194 | synchronized, every time the number of its incoming packets | |
195 | modulus 50 equals the threshold. The range of the threshold is | |
196 | from 0 to 49. | |
7e777dd4 SH |
197 | |
198 | snat_reroute - BOOLEAN | |
199 | 0 - disabled | |
200 | not 0 - enabled (default) | |
201 | ||
202 | If enabled, recalculate the route of SNATed packets from | |
203 | realservers so that they are routed as if they originate from the | |
204 | director. Otherwise they are routed as if they are forwarded by the | |
205 | director. | |
206 | ||
207 | If policy routing is in effect then it is possible that the route | |
208 | of a packet originating from a director is routed differently to a | |
209 | packet being forwarded by the director. | |
210 | ||
211 | If policy routing is not in effect then the recalculated route will | |
212 | always be the same as the original route so it is an optimisation | |
213 | to disable snat_reroute and avoid the recalculation. | |
214 | ||
4d0c875d JA |
215 | sync_persist_mode - INTEGER |
216 | default 0 | |
217 | ||
218 | Controls the synchronisation of connections when using persistence | |
219 | ||
220 | 0: All types of connections are synchronised | |
221 | 1: Attempt to reduce the synchronisation traffic depending on | |
222 | the connection type. For persistent services avoid synchronisation | |
223 | for normal connections, do it only for persistence templates. | |
224 | In such case, for TCP and SCTP it may need enabling sloppy_tcp and | |
225 | sloppy_sctp flags on backup servers. For non-persistent services | |
226 | such optimization is not applied, mode 0 is assumed. | |
227 | ||
7e777dd4 SH |
228 | sync_version - INTEGER |
229 | default 1 | |
230 | ||
231 | The version of the synchronisation protocol used when sending | |
232 | synchronisation messages. | |
233 | ||
234 | 0 selects the original synchronisation protocol (version 0). This | |
235 | should be used when sending synchronisation messages to a legacy | |
236 | system that only understands the original synchronisation protocol. | |
237 | ||
238 | 1 selects the current synchronisation protocol (version 1). This | |
239 | should be used where possible. | |
240 | ||
241 | Kernels with this sync_version entry are able to receive messages | |
242 | of both version 1 and version 2 of the synchronisation protocol. |