--- /dev/null
+.. SPDX-License-Identifier: GPL-2.0
+
+===========
+IPvs-sysctl
+===========
+
+/proc/sys/net/ipv4/vs/* Variables:
+==================================
+
+am_droprate - INTEGER
+ default 10
+
+ It sets the always mode drop rate, which is used in the mode 3
+ of the drop_rate defense.
+
+amemthresh - INTEGER
+ default 1024
+
+ It sets the available memory threshold (in pages), which is
+ used in the automatic modes of defense. When there is no
+ enough available memory, the respective strategy will be
+ enabled and the variable is automatically set to 2, otherwise
+ the strategy is disabled and the variable is set to 1.
+
+backup_only - BOOLEAN
+ - 0 - disabled (default)
+ - not 0 - enabled
+
+ If set, disable the director function while the server is
+ in backup mode to avoid packet loops for DR/TUN methods.
+
+conn_reuse_mode - INTEGER
+ 1 - default
+
+ Controls how ipvs will deal with connections that are detected
+ port reuse. It is a bitmap, with the values being:
+
+ 0: disable any special handling on port reuse. The new
+ connection will be delivered to the same real server that was
+ servicing the previous connection. This will effectively
+ disable expire_nodest_conn.
+
+ bit 1: enable rescheduling of new connections when it is safe.
+ That is, whenever expire_nodest_conn and for TCP sockets, when
+ the connection is in TIME_WAIT state (which is only possible if
+ you use NAT mode).
+
+ bit 2: it is bit 1 plus, for TCP connections, when connections
+ are in FIN_WAIT state, as this is the last state seen by load
+ balancer in Direct Routing mode. This bit helps on adding new
+ real servers to a very busy cluster.
+
+conntrack - BOOLEAN
+ - 0 - disabled (default)
+ - not 0 - enabled
+
+ If set, maintain connection tracking entries for
+ connections handled by IPVS.
+
+ This should be enabled if connections handled by IPVS are to be
+ also handled by stateful firewall rules. That is, iptables rules
+ that make use of connection tracking. It is a performance
+ optimisation to disable this setting otherwise.
+
+ Connections handled by the IPVS FTP application module
+ will have connection tracking entries regardless of this setting.
+
+ Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled.
+
+cache_bypass - BOOLEAN
+ - 0 - disabled (default)
+ - not 0 - enabled
+
+ If it is enabled, forward packets to the original destination
+ directly when no cache server is available and destination
+ address is not local (iph->daddr is RTN_UNICAST). It is mostly
+ used in transparent web cache cluster.
+
+debug_level - INTEGER
+ - 0 - transmission error messages (default)
+ - 1 - non-fatal error messages
+ - 2 - configuration
+ - 3 - destination trash
+ - 4 - drop entry
+ - 5 - service lookup
+ - 6 - scheduling
+ - 7 - connection new/expire, lookup and synchronization
+ - 8 - state transition
+ - 9 - binding destination, template checks and applications
+ - 10 - IPVS packet transmission
+ - 11 - IPVS packet handling (ip_vs_in/ip_vs_out)
+ - 12 or more - packet traversal
+
+ Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled.
+
+ Higher debugging levels include the messages for lower debugging
+ levels, so setting debug level 2, includes level 0, 1 and 2
+ messages. Thus, logging becomes more and more verbose the higher
+ the level.
+
+drop_entry - INTEGER
+ - 0 - disabled (default)
+
+ The drop_entry defense is to randomly drop entries in the
+ connection hash table, just in order to collect back some
+ memory for new connections. In the current code, the
+ drop_entry procedure can be activated every second, then it
+ randomly scans 1/32 of the whole and drops entries that are in
+ the SYN-RECV/SYNACK state, which should be effective against
+ syn-flooding attack.
+
+ The valid values of drop_entry are from 0 to 3, where 0 means
+ that this strategy is always disabled, 1 and 2 mean automatic
+ modes (when there is no enough available memory, the strategy
+ is enabled and the variable is automatically set to 2,
+ otherwise the strategy is disabled and the variable is set to
+ 1), and 3 means that that the strategy is always enabled.
+
+drop_packet - INTEGER
+ - 0 - disabled (default)
+
+ The drop_packet defense is designed to drop 1/rate packets
+ before forwarding them to real servers. If the rate is 1, then
+ drop all the incoming packets.
+
+ The value definition is the same as that of the drop_entry. In
+ the automatic mode, the rate is determined by the follow
+ formula: rate = amemthresh / (amemthresh - available_memory)
+ when available memory is less than the available memory
+ threshold. When the mode 3 is set, the always mode drop rate
+ is controlled by the /proc/sys/net/ipv4/vs/am_droprate.
+
+expire_nodest_conn - BOOLEAN
+ - 0 - disabled (default)
+ - not 0 - enabled
+
+ The default value is 0, the load balancer will silently drop
+ packets when its destination server is not available. It may
+ be useful, when user-space monitoring program deletes the
+ destination server (because of server overload or wrong
+ detection) and add back the server later, and the connections
+ to the server can continue.
+
+ If this feature is enabled, the load balancer will expire the
+ connection immediately when a packet arrives and its
+ destination server is not available, then the client program
+ will be notified that the connection is closed. This is
+ equivalent to the feature some people requires to flush
+ connections when its destination is not available.
+
+expire_quiescent_template - BOOLEAN
+ - 0 - disabled (default)
+ - not 0 - enabled
+
+ When set to a non-zero value, the load balancer will expire
+ persistent templates when the destination server is quiescent.
+ This may be useful, when a user makes a destination server
+ quiescent by setting its weight to 0 and it is desired that
+ subsequent otherwise persistent connections are sent to a
+ different destination server. By default new persistent
+ connections are allowed to quiescent destination servers.
+
+ If this feature is enabled, the load balancer will expire the
+ persistence template if it is to be used to schedule a new
+ connection and the destination server is quiescent.
+
+ignore_tunneled - BOOLEAN
+ - 0 - disabled (default)
+ - not 0 - enabled
+
+ If set, ipvs will set the ipvs_property on all packets which are of
+ unrecognized protocols. This prevents us from routing tunneled
+ protocols like ipip, which is useful to prevent rescheduling
+ packets that have been tunneled to the ipvs host (i.e. to prevent
+ ipvs routing loops when ipvs is also acting as a real server).
+
+nat_icmp_send - BOOLEAN
+ - 0 - disabled (default)
+ - not 0 - enabled
+
+ It controls sending icmp error messages (ICMP_DEST_UNREACH)
+ for VS/NAT when the load balancer receives packets from real
+ servers but the connection entries don't exist.
+
+pmtu_disc - BOOLEAN
+ - 0 - disabled
+ - not 0 - enabled (default)
+
+ By default, reject with FRAG_NEEDED all DF packets that exceed
+ the PMTU, irrespective of the forwarding method. For TUN method
+ the flag can be disabled to fragment such packets.
+
+secure_tcp - INTEGER
+ - 0 - disabled (default)
+
+ The secure_tcp defense is to use a more complicated TCP state
+ transition table. For VS/NAT, it also delays entering the
+ TCP ESTABLISHED state until the three way handshake is completed.
+
+ The value definition is the same as that of drop_entry and
+ drop_packet.
+
+sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period
+ default 3 50
+
+ It sets synchronization threshold, which is the minimum number
+ of incoming packets that a connection needs to receive before
+ the connection will be synchronized. A connection will be
+ synchronized, every time the number of its incoming packets
+ modulus sync_period equals the threshold. The range of the
+ threshold is from 0 to sync_period.
+
+ When sync_period and sync_refresh_period are 0, send sync only
+ for state changes or only once when pkts matches sync_threshold
+
+sync_refresh_period - UNSIGNED INTEGER
+ default 0
+
+ In seconds, difference in reported connection timer that triggers
+ new sync message. It can be used to avoid sync messages for the
+ specified period (or half of the connection timeout if it is lower)
+ if connection state is not changed since last sync.
+
+ This is useful for normal connections with high traffic to reduce
+ sync rate. Additionally, retry sync_retries times with period of
+ sync_refresh_period/8.
+
+sync_retries - INTEGER
+ default 0
+
+ Defines sync retries with period of sync_refresh_period/8. Useful
+ to protect against loss of sync messages. The range of the
+ sync_retries is from 0 to 3.
+
+sync_qlen_max - UNSIGNED LONG
+
+ Hard limit for queued sync messages that are not sent yet. It
+ defaults to 1/32 of the memory pages but actually represents
+ number of messages. It will protect us from allocating large
+ parts of memory when the sending rate is lower than the queuing
+ rate.
+
+sync_sock_size - INTEGER
+ default 0
+
+ Configuration of SNDBUF (master) or RCVBUF (slave) socket limit.
+ Default value is 0 (preserve system defaults).
+
+sync_ports - INTEGER
+ default 1
+
+ The number of threads that master and backup servers can use for
+ sync traffic. Every thread will use single UDP port, thread 0 will
+ use the default port 8848 while last thread will use port
+ 8848+sync_ports-1.
+
+snat_reroute - BOOLEAN
+ - 0 - disabled
+ - not 0 - enabled (default)
+
+ If enabled, recalculate the route of SNATed packets from
+ realservers so that they are routed as if they originate from the
+ director. Otherwise they are routed as if they are forwarded by the
+ director.
+
+ If policy routing is in effect then it is possible that the route
+ of a packet originating from a director is routed differently to a
+ packet being forwarded by the director.
+
+ If policy routing is not in effect then the recalculated route will
+ always be the same as the original route so it is an optimisation
+ to disable snat_reroute and avoid the recalculation.
+
+sync_persist_mode - INTEGER
+ default 0
+
+ Controls the synchronisation of connections when using persistence
+
+ 0: All types of connections are synchronised
+
+ 1: Attempt to reduce the synchronisation traffic depending on
+ the connection type. For persistent services avoid synchronisation
+ for normal connections, do it only for persistence templates.
+ In such case, for TCP and SCTP it may need enabling sloppy_tcp and
+ sloppy_sctp flags on backup servers. For non-persistent services
+ such optimization is not applied, mode 0 is assumed.
+
+sync_version - INTEGER
+ default 1
+
+ The version of the synchronisation protocol used when sending
+ synchronisation messages.
+
+ 0 selects the original synchronisation protocol (version 0). This
+ should be used when sending synchronisation messages to a legacy
+ system that only understands the original synchronisation protocol.
+
+ 1 selects the current synchronisation protocol (version 1). This
+ should be used where possible.
+
+ Kernels with this sync_version entry are able to receive messages
+ of both version 1 and version 2 of the synchronisation protocol.
+++ /dev/null
-/proc/sys/net/ipv4/vs/* Variables:
-
-am_droprate - INTEGER
- default 10
-
- It sets the always mode drop rate, which is used in the mode 3
- of the drop_rate defense.
-
-amemthresh - INTEGER
- default 1024
-
- It sets the available memory threshold (in pages), which is
- used in the automatic modes of defense. When there is no
- enough available memory, the respective strategy will be
- enabled and the variable is automatically set to 2, otherwise
- the strategy is disabled and the variable is set to 1.
-
-backup_only - BOOLEAN
- 0 - disabled (default)
- not 0 - enabled
-
- If set, disable the director function while the server is
- in backup mode to avoid packet loops for DR/TUN methods.
-
-conn_reuse_mode - INTEGER
- 1 - default
-
- Controls how ipvs will deal with connections that are detected
- port reuse. It is a bitmap, with the values being:
-
- 0: disable any special handling on port reuse. The new
- connection will be delivered to the same real server that was
- servicing the previous connection. This will effectively
- disable expire_nodest_conn.
-
- bit 1: enable rescheduling of new connections when it is safe.
- That is, whenever expire_nodest_conn and for TCP sockets, when
- the connection is in TIME_WAIT state (which is only possible if
- you use NAT mode).
-
- bit 2: it is bit 1 plus, for TCP connections, when connections
- are in FIN_WAIT state, as this is the last state seen by load
- balancer in Direct Routing mode. This bit helps on adding new
- real servers to a very busy cluster.
-
-conntrack - BOOLEAN
- 0 - disabled (default)
- not 0 - enabled
-
- If set, maintain connection tracking entries for
- connections handled by IPVS.
-
- This should be enabled if connections handled by IPVS are to be
- also handled by stateful firewall rules. That is, iptables rules
- that make use of connection tracking. It is a performance
- optimisation to disable this setting otherwise.
-
- Connections handled by the IPVS FTP application module
- will have connection tracking entries regardless of this setting.
-
- Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled.
-
-cache_bypass - BOOLEAN
- 0 - disabled (default)
- not 0 - enabled
-
- If it is enabled, forward packets to the original destination
- directly when no cache server is available and destination
- address is not local (iph->daddr is RTN_UNICAST). It is mostly
- used in transparent web cache cluster.
-
-debug_level - INTEGER
- 0 - transmission error messages (default)
- 1 - non-fatal error messages
- 2 - configuration
- 3 - destination trash
- 4 - drop entry
- 5 - service lookup
- 6 - scheduling
- 7 - connection new/expire, lookup and synchronization
- 8 - state transition
- 9 - binding destination, template checks and applications
- 10 - IPVS packet transmission
- 11 - IPVS packet handling (ip_vs_in/ip_vs_out)
- 12 or more - packet traversal
-
- Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled.
-
- Higher debugging levels include the messages for lower debugging
- levels, so setting debug level 2, includes level 0, 1 and 2
- messages. Thus, logging becomes more and more verbose the higher
- the level.
-
-drop_entry - INTEGER
- 0 - disabled (default)
-
- The drop_entry defense is to randomly drop entries in the
- connection hash table, just in order to collect back some
- memory for new connections. In the current code, the
- drop_entry procedure can be activated every second, then it
- randomly scans 1/32 of the whole and drops entries that are in
- the SYN-RECV/SYNACK state, which should be effective against
- syn-flooding attack.
-
- The valid values of drop_entry are from 0 to 3, where 0 means
- that this strategy is always disabled, 1 and 2 mean automatic
- modes (when there is no enough available memory, the strategy
- is enabled and the variable is automatically set to 2,
- otherwise the strategy is disabled and the variable is set to
- 1), and 3 means that that the strategy is always enabled.
-
-drop_packet - INTEGER
- 0 - disabled (default)
-
- The drop_packet defense is designed to drop 1/rate packets
- before forwarding them to real servers. If the rate is 1, then
- drop all the incoming packets.
-
- The value definition is the same as that of the drop_entry. In
- the automatic mode, the rate is determined by the follow
- formula: rate = amemthresh / (amemthresh - available_memory)
- when available memory is less than the available memory
- threshold. When the mode 3 is set, the always mode drop rate
- is controlled by the /proc/sys/net/ipv4/vs/am_droprate.
-
-expire_nodest_conn - BOOLEAN
- 0 - disabled (default)
- not 0 - enabled
-
- The default value is 0, the load balancer will silently drop
- packets when its destination server is not available. It may
- be useful, when user-space monitoring program deletes the
- destination server (because of server overload or wrong
- detection) and add back the server later, and the connections
- to the server can continue.
-
- If this feature is enabled, the load balancer will expire the
- connection immediately when a packet arrives and its
- destination server is not available, then the client program
- will be notified that the connection is closed. This is
- equivalent to the feature some people requires to flush
- connections when its destination is not available.
-
-expire_quiescent_template - BOOLEAN
- 0 - disabled (default)
- not 0 - enabled
-
- When set to a non-zero value, the load balancer will expire
- persistent templates when the destination server is quiescent.
- This may be useful, when a user makes a destination server
- quiescent by setting its weight to 0 and it is desired that
- subsequent otherwise persistent connections are sent to a
- different destination server. By default new persistent
- connections are allowed to quiescent destination servers.
-
- If this feature is enabled, the load balancer will expire the
- persistence template if it is to be used to schedule a new
- connection and the destination server is quiescent.
-
-ignore_tunneled - BOOLEAN
- 0 - disabled (default)
- not 0 - enabled
-
- If set, ipvs will set the ipvs_property on all packets which are of
- unrecognized protocols. This prevents us from routing tunneled
- protocols like ipip, which is useful to prevent rescheduling
- packets that have been tunneled to the ipvs host (i.e. to prevent
- ipvs routing loops when ipvs is also acting as a real server).
-
-nat_icmp_send - BOOLEAN
- 0 - disabled (default)
- not 0 - enabled
-
- It controls sending icmp error messages (ICMP_DEST_UNREACH)
- for VS/NAT when the load balancer receives packets from real
- servers but the connection entries don't exist.
-
-pmtu_disc - BOOLEAN
- 0 - disabled
- not 0 - enabled (default)
-
- By default, reject with FRAG_NEEDED all DF packets that exceed
- the PMTU, irrespective of the forwarding method. For TUN method
- the flag can be disabled to fragment such packets.
-
-secure_tcp - INTEGER
- 0 - disabled (default)
-
- The secure_tcp defense is to use a more complicated TCP state
- transition table. For VS/NAT, it also delays entering the
- TCP ESTABLISHED state until the three way handshake is completed.
-
- The value definition is the same as that of drop_entry and
- drop_packet.
-
-sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period
- default 3 50
-
- It sets synchronization threshold, which is the minimum number
- of incoming packets that a connection needs to receive before
- the connection will be synchronized. A connection will be
- synchronized, every time the number of its incoming packets
- modulus sync_period equals the threshold. The range of the
- threshold is from 0 to sync_period.
-
- When sync_period and sync_refresh_period are 0, send sync only
- for state changes or only once when pkts matches sync_threshold
-
-sync_refresh_period - UNSIGNED INTEGER
- default 0
-
- In seconds, difference in reported connection timer that triggers
- new sync message. It can be used to avoid sync messages for the
- specified period (or half of the connection timeout if it is lower)
- if connection state is not changed since last sync.
-
- This is useful for normal connections with high traffic to reduce
- sync rate. Additionally, retry sync_retries times with period of
- sync_refresh_period/8.
-
-sync_retries - INTEGER
- default 0
-
- Defines sync retries with period of sync_refresh_period/8. Useful
- to protect against loss of sync messages. The range of the
- sync_retries is from 0 to 3.
-
-sync_qlen_max - UNSIGNED LONG
-
- Hard limit for queued sync messages that are not sent yet. It
- defaults to 1/32 of the memory pages but actually represents
- number of messages. It will protect us from allocating large
- parts of memory when the sending rate is lower than the queuing
- rate.
-
-sync_sock_size - INTEGER
- default 0
-
- Configuration of SNDBUF (master) or RCVBUF (slave) socket limit.
- Default value is 0 (preserve system defaults).
-
-sync_ports - INTEGER
- default 1
-
- The number of threads that master and backup servers can use for
- sync traffic. Every thread will use single UDP port, thread 0 will
- use the default port 8848 while last thread will use port
- 8848+sync_ports-1.
-
-snat_reroute - BOOLEAN
- 0 - disabled
- not 0 - enabled (default)
-
- If enabled, recalculate the route of SNATed packets from
- realservers so that they are routed as if they originate from the
- director. Otherwise they are routed as if they are forwarded by the
- director.
-
- If policy routing is in effect then it is possible that the route
- of a packet originating from a director is routed differently to a
- packet being forwarded by the director.
-
- If policy routing is not in effect then the recalculated route will
- always be the same as the original route so it is an optimisation
- to disable snat_reroute and avoid the recalculation.
-
-sync_persist_mode - INTEGER
- default 0
-
- Controls the synchronisation of connections when using persistence
-
- 0: All types of connections are synchronised
- 1: Attempt to reduce the synchronisation traffic depending on
- the connection type. For persistent services avoid synchronisation
- for normal connections, do it only for persistence templates.
- In such case, for TCP and SCTP it may need enabling sloppy_tcp and
- sloppy_sctp flags on backup servers. For non-persistent services
- such optimization is not applied, mode 0 is assumed.
-
-sync_version - INTEGER
- default 1
-
- The version of the synchronisation protocol used when sending
- synchronisation messages.
-
- 0 selects the original synchronisation protocol (version 0). This
- should be used when sending synchronisation messages to a legacy
- system that only understands the original synchronisation protocol.
-
- 1 selects the current synchronisation protocol (version 1). This
- should be used where possible.
-
- Kernels with this sync_version entry are able to receive messages
- of both version 1 and version 2 of the synchronisation protocol.