forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
302 lines
11 KiB
302 lines
11 KiB
.. SPDX-License-Identifier: GPL-2.0 |
|
|
|
=========== |
|
IPvs-sysctl |
|
=========== |
|
|
|
/proc/sys/net/ipv4/vs/* Variables: |
|
================================== |
|
|
|
am_droprate - INTEGER |
|
default 10 |
|
|
|
It sets the always mode drop rate, which is used in the mode 3 |
|
of the drop_rate defense. |
|
|
|
amemthresh - INTEGER |
|
default 1024 |
|
|
|
It sets the available memory threshold (in pages), which is |
|
used in the automatic modes of defense. When there is no |
|
enough available memory, the respective strategy will be |
|
enabled and the variable is automatically set to 2, otherwise |
|
the strategy is disabled and the variable is set to 1. |
|
|
|
backup_only - BOOLEAN |
|
- 0 - disabled (default) |
|
- not 0 - enabled |
|
|
|
If set, disable the director function while the server is |
|
in backup mode to avoid packet loops for DR/TUN methods. |
|
|
|
conn_reuse_mode - INTEGER |
|
1 - default |
|
|
|
Controls how ipvs will deal with connections that are detected |
|
port reuse. It is a bitmap, with the values being: |
|
|
|
0: disable any special handling on port reuse. The new |
|
connection will be delivered to the same real server that was |
|
servicing the previous connection. This will effectively |
|
disable expire_nodest_conn. |
|
|
|
bit 1: enable rescheduling of new connections when it is safe. |
|
That is, whenever expire_nodest_conn and for TCP sockets, when |
|
the connection is in TIME_WAIT state (which is only possible if |
|
you use NAT mode). |
|
|
|
bit 2: it is bit 1 plus, for TCP connections, when connections |
|
are in FIN_WAIT state, as this is the last state seen by load |
|
balancer in Direct Routing mode. This bit helps on adding new |
|
real servers to a very busy cluster. |
|
|
|
conntrack - BOOLEAN |
|
- 0 - disabled (default) |
|
- not 0 - enabled |
|
|
|
If set, maintain connection tracking entries for |
|
connections handled by IPVS. |
|
|
|
This should be enabled if connections handled by IPVS are to be |
|
also handled by stateful firewall rules. That is, iptables rules |
|
that make use of connection tracking. It is a performance |
|
optimisation to disable this setting otherwise. |
|
|
|
Connections handled by the IPVS FTP application module |
|
will have connection tracking entries regardless of this setting. |
|
|
|
Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled. |
|
|
|
cache_bypass - BOOLEAN |
|
- 0 - disabled (default) |
|
- not 0 - enabled |
|
|
|
If it is enabled, forward packets to the original destination |
|
directly when no cache server is available and destination |
|
address is not local (iph->daddr is RTN_UNICAST). It is mostly |
|
used in transparent web cache cluster. |
|
|
|
debug_level - INTEGER |
|
- 0 - transmission error messages (default) |
|
- 1 - non-fatal error messages |
|
- 2 - configuration |
|
- 3 - destination trash |
|
- 4 - drop entry |
|
- 5 - service lookup |
|
- 6 - scheduling |
|
- 7 - connection new/expire, lookup and synchronization |
|
- 8 - state transition |
|
- 9 - binding destination, template checks and applications |
|
- 10 - IPVS packet transmission |
|
- 11 - IPVS packet handling (ip_vs_in/ip_vs_out) |
|
- 12 or more - packet traversal |
|
|
|
Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled. |
|
|
|
Higher debugging levels include the messages for lower debugging |
|
levels, so setting debug level 2, includes level 0, 1 and 2 |
|
messages. Thus, logging becomes more and more verbose the higher |
|
the level. |
|
|
|
drop_entry - INTEGER |
|
- 0 - disabled (default) |
|
|
|
The drop_entry defense is to randomly drop entries in the |
|
connection hash table, just in order to collect back some |
|
memory for new connections. In the current code, the |
|
drop_entry procedure can be activated every second, then it |
|
randomly scans 1/32 of the whole and drops entries that are in |
|
the SYN-RECV/SYNACK state, which should be effective against |
|
syn-flooding attack. |
|
|
|
The valid values of drop_entry are from 0 to 3, where 0 means |
|
that this strategy is always disabled, 1 and 2 mean automatic |
|
modes (when there is no enough available memory, the strategy |
|
is enabled and the variable is automatically set to 2, |
|
otherwise the strategy is disabled and the variable is set to |
|
1), and 3 means that the strategy is always enabled. |
|
|
|
drop_packet - INTEGER |
|
- 0 - disabled (default) |
|
|
|
The drop_packet defense is designed to drop 1/rate packets |
|
before forwarding them to real servers. If the rate is 1, then |
|
drop all the incoming packets. |
|
|
|
The value definition is the same as that of the drop_entry. In |
|
the automatic mode, the rate is determined by the follow |
|
formula: rate = amemthresh / (amemthresh - available_memory) |
|
when available memory is less than the available memory |
|
threshold. When the mode 3 is set, the always mode drop rate |
|
is controlled by the /proc/sys/net/ipv4/vs/am_droprate. |
|
|
|
expire_nodest_conn - BOOLEAN |
|
- 0 - disabled (default) |
|
- not 0 - enabled |
|
|
|
The default value is 0, the load balancer will silently drop |
|
packets when its destination server is not available. It may |
|
be useful, when user-space monitoring program deletes the |
|
destination server (because of server overload or wrong |
|
detection) and add back the server later, and the connections |
|
to the server can continue. |
|
|
|
If this feature is enabled, the load balancer will expire the |
|
connection immediately when a packet arrives and its |
|
destination server is not available, then the client program |
|
will be notified that the connection is closed. This is |
|
equivalent to the feature some people requires to flush |
|
connections when its destination is not available. |
|
|
|
expire_quiescent_template - BOOLEAN |
|
- 0 - disabled (default) |
|
- not 0 - enabled |
|
|
|
When set to a non-zero value, the load balancer will expire |
|
persistent templates when the destination server is quiescent. |
|
This may be useful, when a user makes a destination server |
|
quiescent by setting its weight to 0 and it is desired that |
|
subsequent otherwise persistent connections are sent to a |
|
different destination server. By default new persistent |
|
connections are allowed to quiescent destination servers. |
|
|
|
If this feature is enabled, the load balancer will expire the |
|
persistence template if it is to be used to schedule a new |
|
connection and the destination server is quiescent. |
|
|
|
ignore_tunneled - BOOLEAN |
|
- 0 - disabled (default) |
|
- not 0 - enabled |
|
|
|
If set, ipvs will set the ipvs_property on all packets which are of |
|
unrecognized protocols. This prevents us from routing tunneled |
|
protocols like ipip, which is useful to prevent rescheduling |
|
packets that have been tunneled to the ipvs host (i.e. to prevent |
|
ipvs routing loops when ipvs is also acting as a real server). |
|
|
|
nat_icmp_send - BOOLEAN |
|
- 0 - disabled (default) |
|
- not 0 - enabled |
|
|
|
It controls sending icmp error messages (ICMP_DEST_UNREACH) |
|
for VS/NAT when the load balancer receives packets from real |
|
servers but the connection entries don't exist. |
|
|
|
pmtu_disc - BOOLEAN |
|
- 0 - disabled |
|
- not 0 - enabled (default) |
|
|
|
By default, reject with FRAG_NEEDED all DF packets that exceed |
|
the PMTU, irrespective of the forwarding method. For TUN method |
|
the flag can be disabled to fragment such packets. |
|
|
|
secure_tcp - INTEGER |
|
- 0 - disabled (default) |
|
|
|
The secure_tcp defense is to use a more complicated TCP state |
|
transition table. For VS/NAT, it also delays entering the |
|
TCP ESTABLISHED state until the three way handshake is completed. |
|
|
|
The value definition is the same as that of drop_entry and |
|
drop_packet. |
|
|
|
sync_threshold - vector of 2 INTEGERs: sync_threshold, sync_period |
|
default 3 50 |
|
|
|
It sets synchronization threshold, which is the minimum number |
|
of incoming packets that a connection needs to receive before |
|
the connection will be synchronized. A connection will be |
|
synchronized, every time the number of its incoming packets |
|
modulus sync_period equals the threshold. The range of the |
|
threshold is from 0 to sync_period. |
|
|
|
When sync_period and sync_refresh_period are 0, send sync only |
|
for state changes or only once when pkts matches sync_threshold |
|
|
|
sync_refresh_period - UNSIGNED INTEGER |
|
default 0 |
|
|
|
In seconds, difference in reported connection timer that triggers |
|
new sync message. It can be used to avoid sync messages for the |
|
specified period (or half of the connection timeout if it is lower) |
|
if connection state is not changed since last sync. |
|
|
|
This is useful for normal connections with high traffic to reduce |
|
sync rate. Additionally, retry sync_retries times with period of |
|
sync_refresh_period/8. |
|
|
|
sync_retries - INTEGER |
|
default 0 |
|
|
|
Defines sync retries with period of sync_refresh_period/8. Useful |
|
to protect against loss of sync messages. The range of the |
|
sync_retries is from 0 to 3. |
|
|
|
sync_qlen_max - UNSIGNED LONG |
|
|
|
Hard limit for queued sync messages that are not sent yet. It |
|
defaults to 1/32 of the memory pages but actually represents |
|
number of messages. It will protect us from allocating large |
|
parts of memory when the sending rate is lower than the queuing |
|
rate. |
|
|
|
sync_sock_size - INTEGER |
|
default 0 |
|
|
|
Configuration of SNDBUF (master) or RCVBUF (slave) socket limit. |
|
Default value is 0 (preserve system defaults). |
|
|
|
sync_ports - INTEGER |
|
default 1 |
|
|
|
The number of threads that master and backup servers can use for |
|
sync traffic. Every thread will use single UDP port, thread 0 will |
|
use the default port 8848 while last thread will use port |
|
8848+sync_ports-1. |
|
|
|
snat_reroute - BOOLEAN |
|
- 0 - disabled |
|
- not 0 - enabled (default) |
|
|
|
If enabled, recalculate the route of SNATed packets from |
|
realservers so that they are routed as if they originate from the |
|
director. Otherwise they are routed as if they are forwarded by the |
|
director. |
|
|
|
If policy routing is in effect then it is possible that the route |
|
of a packet originating from a director is routed differently to a |
|
packet being forwarded by the director. |
|
|
|
If policy routing is not in effect then the recalculated route will |
|
always be the same as the original route so it is an optimisation |
|
to disable snat_reroute and avoid the recalculation. |
|
|
|
sync_persist_mode - INTEGER |
|
default 0 |
|
|
|
Controls the synchronisation of connections when using persistence |
|
|
|
0: All types of connections are synchronised |
|
|
|
1: Attempt to reduce the synchronisation traffic depending on |
|
the connection type. For persistent services avoid synchronisation |
|
for normal connections, do it only for persistence templates. |
|
In such case, for TCP and SCTP it may need enabling sloppy_tcp and |
|
sloppy_sctp flags on backup servers. For non-persistent services |
|
such optimization is not applied, mode 0 is assumed. |
|
|
|
sync_version - INTEGER |
|
default 1 |
|
|
|
The version of the synchronisation protocol used when sending |
|
synchronisation messages. |
|
|
|
0 selects the original synchronisation protocol (version 0). This |
|
should be used when sending synchronisation messages to a legacy |
|
system that only understands the original synchronisation protocol. |
|
|
|
1 selects the current synchronisation protocol (version 1). This |
|
should be used where possible. |
|
|
|
Kernels with this sync_version entry are able to receive messages |
|
of both version 1 and version 2 of the synchronisation protocol.
|
|
|