Commit 6ce1669fdb6b0a0faf9b2e2ba08048b520c57841
Committed by
David S. Miller
David S. Miller
1 parent
d85838c55d
Exists in
master
and in
4 other branches
[IPVS]: Add sysctl documentation
* Derived from http://www.linuxvirtualserver.org/docs/sysctl.html, v1.4 maintained by Wensong Zhang * Adjusted preample to match ip-sysctl.txt * Sorted options into alphabetical order * Added expire_quiescent_template * Removed timeout_* which are no longer present * Incoporated doc/debug-levels.txt from IPVS source tree into description of ipvs_debug * Minor spelling fixes * Further editing more than welcome Signed-Off-By: Horms <horms@verge.net.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 143 additions and 0 deletions Side-by-side Diff
Documentation/networking/ipvs-sysctl.txt
| 1 | +/proc/sys/net/ipv4/vs/* Variables: | |
| 2 | + | |
| 3 | +am_droprate - INTEGER | |
| 4 | + default 10 | |
| 5 | + | |
| 6 | + It sets the always mode drop rate, which is used in the mode 3 | |
| 7 | + of the drop_rate defense. | |
| 8 | + | |
| 9 | +amemthresh - INTEGER | |
| 10 | + default 1024 | |
| 11 | + | |
| 12 | + It sets the available memory threshold (in pages), which is | |
| 13 | + used in the automatic modes of defense. When there is no | |
| 14 | + enough available memory, the respective strategy will be | |
| 15 | + enabled and the variable is automatically set to 2, otherwise | |
| 16 | + the strategy is disabled and the variable is set to 1. | |
| 17 | + | |
| 18 | +cache_bypass - BOOLEAN | |
| 19 | + 0 - disabled (default) | |
| 20 | + not 0 - enabled | |
| 21 | + | |
| 22 | + If it is enabled, forward packets to the original destination | |
| 23 | + directly when no cache server is available and destination | |
| 24 | + address is not local (iph->daddr is RTN_UNICAST). It is mostly | |
| 25 | + used in transparent web cache cluster. | |
| 26 | + | |
| 27 | +debug_level - INTEGER | |
| 28 | + 0 - transmission error messages (default) | |
| 29 | + 1 - non-fatal error messages | |
| 30 | + 2 - configuration | |
| 31 | + 3 - destination trash | |
| 32 | + 4 - drop entry | |
| 33 | + 5 - service lookup | |
| 34 | + 6 - scheduling | |
| 35 | + 7 - connection new/expire, lookup and synchronization | |
| 36 | + 8 - state transition | |
| 37 | + 9 - binding destination, template checks and applications | |
| 38 | + 10 - IPVS packet transmission | |
| 39 | + 11 - IPVS packet handling (ip_vs_in/ip_vs_out) | |
| 40 | + 12 or more - packet traversal | |
| 41 | + | |
| 42 | + Only available when IPVS is compiled with the CONFIG_IPVS_DEBUG | |
| 43 | + | |
| 44 | + Higher debugging levels include the messages for lower debugging | |
| 45 | + levels, so setting debug level 2, includes level 0, 1 and 2 | |
| 46 | + messages. Thus, logging becomes more and more verbose the higher | |
| 47 | + the level. | |
| 48 | + | |
| 49 | +drop_entry - INTEGER | |
| 50 | + 0 - disabled (default) | |
| 51 | + | |
| 52 | + The drop_entry defense is to randomly drop entries in the | |
| 53 | + connection hash table, just in order to collect back some | |
| 54 | + memory for new connections. In the current code, the | |
| 55 | + drop_entry procedure can be activated every second, then it | |
| 56 | + randomly scans 1/32 of the whole and drops entries that are in | |
| 57 | + the SYN-RECV/SYNACK state, which should be effective against | |
| 58 | + syn-flooding attack. | |
| 59 | + | |
| 60 | + The valid values of drop_entry are from 0 to 3, where 0 means | |
| 61 | + that this strategy is always disabled, 1 and 2 mean automatic | |
| 62 | + modes (when there is no enough available memory, the strategy | |
| 63 | + is enabled and the variable is automatically set to 2, | |
| 64 | + otherwise the strategy is disabled and the variable is set to | |
| 65 | + 1), and 3 means that that the strategy is always enabled. | |
| 66 | + | |
| 67 | +drop_packet - INTEGER | |
| 68 | + 0 - disabled (default) | |
| 69 | + | |
| 70 | + The drop_packet defense is designed to drop 1/rate packets | |
| 71 | + before forwarding them to real servers. If the rate is 1, then | |
| 72 | + drop all the incoming packets. | |
| 73 | + | |
| 74 | + The value definition is the same as that of the drop_entry. In | |
| 75 | + the automatic mode, the rate is determined by the follow | |
| 76 | + formula: rate = amemthresh / (amemthresh - available_memory) | |
| 77 | + when available memory is less than the available memory | |
| 78 | + threshold. When the mode 3 is set, the always mode drop rate | |
| 79 | + is controlled by the /proc/sys/net/ipv4/vs/am_droprate. | |
| 80 | + | |
| 81 | +expire_nodest_conn - BOOLEAN | |
| 82 | + 0 - disabled (default) | |
| 83 | + not 0 - enabled | |
| 84 | + | |
| 85 | + The default value is 0, the load balancer will silently drop | |
| 86 | + packets when its destination server is not available. It may | |
| 87 | + be useful, when user-space monitoring program deletes the | |
| 88 | + destination server (because of server overload or wrong | |
| 89 | + detection) and add back the server later, and the connections | |
| 90 | + to the server can continue. | |
| 91 | + | |
| 92 | + If this feature is enabled, the load balancer will expire the | |
| 93 | + connection immediately when a packet arrives and its | |
| 94 | + destination server is not available, then the client program | |
| 95 | + will be notified that the connection is closed. This is | |
| 96 | + equivalent to the feature some people requires to flush | |
| 97 | + connections when its destination is not available. | |
| 98 | + | |
| 99 | +expire_quiescent_template - BOOLEAN | |
| 100 | + 0 - disabled (default) | |
| 101 | + not 0 - enabled | |
| 102 | + | |
| 103 | + When set to a non-zero value, the load balancer will expire | |
| 104 | + persistent templates when the destination server is quiescent. | |
| 105 | + This may be useful, when a user makes a destination server | |
| 106 | + quiescent by setting its weight to 0 and it is desired that | |
| 107 | + subsequent otherwise persistent connections are sent to a | |
| 108 | + different destination server. By default new persistent | |
| 109 | + connections are allowed to quiescent destination servers. | |
| 110 | + | |
| 111 | + If this feature is enabled, the load balancer will expire the | |
| 112 | + persistence template if it is to be used to schedule a new | |
| 113 | + connection and the destination server is quiescent. | |
| 114 | + | |
| 115 | +nat_icmp_send - BOOLEAN | |
| 116 | + 0 - disabled (default) | |
| 117 | + not 0 - enabled | |
| 118 | + | |
| 119 | + It controls sending icmp error messages (ICMP_DEST_UNREACH) | |
| 120 | + for VS/NAT when the load balancer receives packets from real | |
| 121 | + servers but the connection entries don't exist. | |
| 122 | + | |
| 123 | +secure_tcp - INTEGER | |
| 124 | + 0 - disabled (default) | |
| 125 | + | |
| 126 | + The secure_tcp defense is to use a more complicated state | |
| 127 | + transition table and some possible short timeouts of each | |
| 128 | + state. In the VS/NAT, it delays the entering the ESTABLISHED | |
| 129 | + until the real server starts to send data and ACK packet | |
| 130 | + (after 3-way handshake). | |
| 131 | + | |
| 132 | + The value definition is the same as that of drop_entry or | |
| 133 | + drop_packet. | |
| 134 | + | |
| 135 | +sync_threshold - INTEGER | |
| 136 | + default 3 | |
| 137 | + | |
| 138 | + It sets synchronization threshold, which is the minimum number | |
| 139 | + of incoming packets that a connection needs to receive before | |
| 140 | + the connection will be synchronized. A connection will be | |
| 141 | + synchronized, every time the number of its incoming packets | |
| 142 | + modulus 50 equals the threshold. The range of the threshold is | |
| 143 | + from 0 to 49. |