diff options
-rw-r--r-- | Documentation/networking/ipvs-sysctl.txt | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/Documentation/networking/ipvs-sysctl.txt b/Documentation/networking/ipvs-sysctl.txt new file mode 100644 index 000000000000..4ccdbca03811 --- /dev/null +++ b/Documentation/networking/ipvs-sysctl.txt | |||
@@ -0,0 +1,143 @@ | |||
1 | /proc/sys/net/ipv4/vs/* Variables: | ||
2 | |||
3 | am_droprate - INTEGER | ||
4 | default 10 | ||
5 | |||
6 | It sets the always mode drop rate, which is used in the mode 3 | ||
7 | of the drop_rate defense. | ||
8 | |||
9 | amemthresh - INTEGER | ||
10 | default 1024 | ||
11 | |||
12 | It sets the available memory threshold (in pages), which is | ||
13 | used in the automatic modes of defense. When there is no | ||
14 | enough available memory, the respective strategy will be | ||
15 | enabled and the variable is automatically set to 2, otherwise | ||
16 | the strategy is disabled and the variable is set to 1. | ||
17 | |||
18 | cache_bypass - BOOLEAN | ||
19 | 0 - disabled (default) | ||
20 | not 0 - enabled | ||
21 | |||
22 | If it is enabled, forward packets to the original destination | ||
23 | directly when no cache server is available and destination | ||
24 | address is not local (iph->daddr is RTN_UNICAST). It is mostly | ||
25 | used in transparent web cache cluster. | ||
26 | |||
27 | debug_level - INTEGER | ||
28 | 0 - transmission error messages (default) | ||
29 | 1 - non-fatal error messages | ||
30 | 2 - configuration | ||
31 | 3 - destination trash | ||
32 | 4 - drop entry | ||
33 | 5 - service lookup | ||
34 | 6 - scheduling | ||
35 | 7 - connection new/expire, lookup and synchronization | ||
36 | 8 - state transition | ||
37 | 9 - binding destination, template checks and applications | ||
38 | 10 - IPVS packet transmission | ||
39 | 11 - IPVS packet handling (ip_vs_in/ip_vs_out) | ||
40 | 12 or more - packet traversal | ||
41 | |||
42 | Only available when IPVS is compiled with the CONFIG_IPVS_DEBUG | ||
43 | |||
44 | Higher debugging levels include the messages for lower debugging | ||
45 | levels, so setting debug level 2, includes level 0, 1 and 2 | ||
46 | messages. Thus, logging becomes more and more verbose the higher | ||
47 | the level. | ||
48 | |||
49 | drop_entry - INTEGER | ||
50 | 0 - disabled (default) | ||
51 | |||
52 | The drop_entry defense is to randomly drop entries in the | ||
53 | connection hash table, just in order to collect back some | ||
54 | memory for new connections. In the current code, the | ||
55 | drop_entry procedure can be activated every second, then it | ||
56 | randomly scans 1/32 of the whole and drops entries that are in | ||
57 | the SYN-RECV/SYNACK state, which should be effective against | ||
58 | syn-flooding attack. | ||
59 | |||
60 | The valid values of drop_entry are from 0 to 3, where 0 means | ||
61 | that this strategy is always disabled, 1 and 2 mean automatic | ||
62 | modes (when there is no enough available memory, the strategy | ||
63 | is enabled and the variable is automatically set to 2, | ||
64 | otherwise the strategy is disabled and the variable is set to | ||
65 | 1), and 3 means that that the strategy is always enabled. | ||
66 | |||
67 | drop_packet - INTEGER | ||
68 | 0 - disabled (default) | ||
69 | |||
70 | The drop_packet defense is designed to drop 1/rate packets | ||
71 | before forwarding them to real servers. If the rate is 1, then | ||
72 | drop all the incoming packets. | ||
73 | |||
74 | The value definition is the same as that of the drop_entry. In | ||
75 | the automatic mode, the rate is determined by the follow | ||
76 | formula: rate = amemthresh / (amemthresh - available_memory) | ||
77 | when available memory is less than the available memory | ||
78 | threshold. When the mode 3 is set, the always mode drop rate | ||
79 | is controlled by the /proc/sys/net/ipv4/vs/am_droprate. | ||
80 | |||
81 | expire_nodest_conn - BOOLEAN | ||
82 | 0 - disabled (default) | ||
83 | not 0 - enabled | ||
84 | |||
85 | The default value is 0, the load balancer will silently drop | ||
86 | packets when its destination server is not available. It may | ||
87 | be useful, when user-space monitoring program deletes the | ||
88 | destination server (because of server overload or wrong | ||
89 | detection) and add back the server later, and the connections | ||
90 | to the server can continue. | ||
91 | |||
92 | If this feature is enabled, the load balancer will expire the | ||
93 | connection immediately when a packet arrives and its | ||
94 | destination server is not available, then the client program | ||
95 | will be notified that the connection is closed. This is | ||
96 | equivalent to the feature some people requires to flush | ||
97 | connections when its destination is not available. | ||
98 | |||
99 | expire_quiescent_template - BOOLEAN | ||
100 | 0 - disabled (default) | ||
101 | not 0 - enabled | ||
102 | |||
103 | When set to a non-zero value, the load balancer will expire | ||
104 | persistent templates when the destination server is quiescent. | ||
105 | This may be useful, when a user makes a destination server | ||
106 | quiescent by setting its weight to 0 and it is desired that | ||
107 | subsequent otherwise persistent connections are sent to a | ||
108 | different destination server. By default new persistent | ||
109 | connections are allowed to quiescent destination servers. | ||
110 | |||
111 | If this feature is enabled, the load balancer will expire the | ||
112 | persistence template if it is to be used to schedule a new | ||
113 | connection and the destination server is quiescent. | ||
114 | |||
115 | nat_icmp_send - BOOLEAN | ||
116 | 0 - disabled (default) | ||
117 | not 0 - enabled | ||
118 | |||
119 | It controls sending icmp error messages (ICMP_DEST_UNREACH) | ||
120 | for VS/NAT when the load balancer receives packets from real | ||
121 | servers but the connection entries don't exist. | ||
122 | |||
123 | secure_tcp - INTEGER | ||
124 | 0 - disabled (default) | ||
125 | |||
126 | The secure_tcp defense is to use a more complicated state | ||
127 | transition table and some possible short timeouts of each | ||
128 | state. In the VS/NAT, it delays the entering the ESTABLISHED | ||
129 | until the real server starts to send data and ACK packet | ||
130 | (after 3-way handshake). | ||
131 | |||
132 | The value definition is the same as that of drop_entry or | ||
133 | drop_packet. | ||
134 | |||
135 | sync_threshold - INTEGER | ||
136 | default 3 | ||
137 | |||
138 | It sets synchronization threshold, which is the minimum number | ||
139 | of incoming packets that a connection needs to receive before | ||
140 | the connection will be synchronized. A connection will be | ||
141 | synchronized, every time the number of its incoming packets | ||
142 | modulus 50 equals the threshold. The range of the threshold is | ||
143 | from 0 to 49. | ||