mirror of
https://github.com/torvalds/linux.git
synced 2024-11-08 21:21:47 +00:00
40cb1f9bc5
Reported-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
192 lines
7.4 KiB
Plaintext
192 lines
7.4 KiB
Plaintext
/proc/sys/net/ipv4/vs/* Variables:
|
|
|
|
am_droprate - INTEGER
|
|
default 10
|
|
|
|
It sets the always mode drop rate, which is used in the mode 3
|
|
of the drop_rate defense.
|
|
|
|
amemthresh - INTEGER
|
|
default 1024
|
|
|
|
It sets the available memory threshold (in pages), which is
|
|
used in the automatic modes of defense. When there is no
|
|
enough available memory, the respective strategy will be
|
|
enabled and the variable is automatically set to 2, otherwise
|
|
the strategy is disabled and the variable is set to 1.
|
|
|
|
conntrack - BOOLEAN
|
|
0 - disabled (default)
|
|
not 0 - enabled
|
|
|
|
If set, maintain connection tracking entries for
|
|
connections handled by IPVS.
|
|
|
|
This should be enabled if connections handled by IPVS are to be
|
|
also handled by stateful firewall rules. That is, iptables rules
|
|
that make use of connection tracking. It is a performance
|
|
optimisation to disable this setting otherwise.
|
|
|
|
Connections handled by the IPVS FTP application module
|
|
will have connection tracking entries regardless of this setting.
|
|
|
|
Only available when IPVS is compiled with CONFIG_IP_VS_NFCT enabled.
|
|
|
|
cache_bypass - BOOLEAN
|
|
0 - disabled (default)
|
|
not 0 - enabled
|
|
|
|
If it is enabled, forward packets to the original destination
|
|
directly when no cache server is available and destination
|
|
address is not local (iph->daddr is RTN_UNICAST). It is mostly
|
|
used in transparent web cache cluster.
|
|
|
|
debug_level - INTEGER
|
|
0 - transmission error messages (default)
|
|
1 - non-fatal error messages
|
|
2 - configuration
|
|
3 - destination trash
|
|
4 - drop entry
|
|
5 - service lookup
|
|
6 - scheduling
|
|
7 - connection new/expire, lookup and synchronization
|
|
8 - state transition
|
|
9 - binding destination, template checks and applications
|
|
10 - IPVS packet transmission
|
|
11 - IPVS packet handling (ip_vs_in/ip_vs_out)
|
|
12 or more - packet traversal
|
|
|
|
Only available when IPVS is compiled with CONFIG_IP_VS_DEBUG enabled.
|
|
|
|
Higher debugging levels include the messages for lower debugging
|
|
levels, so setting debug level 2, includes level 0, 1 and 2
|
|
messages. Thus, logging becomes more and more verbose the higher
|
|
the level.
|
|
|
|
drop_entry - INTEGER
|
|
0 - disabled (default)
|
|
|
|
The drop_entry defense is to randomly drop entries in the
|
|
connection hash table, just in order to collect back some
|
|
memory for new connections. In the current code, the
|
|
drop_entry procedure can be activated every second, then it
|
|
randomly scans 1/32 of the whole and drops entries that are in
|
|
the SYN-RECV/SYNACK state, which should be effective against
|
|
syn-flooding attack.
|
|
|
|
The valid values of drop_entry are from 0 to 3, where 0 means
|
|
that this strategy is always disabled, 1 and 2 mean automatic
|
|
modes (when there is no enough available memory, the strategy
|
|
is enabled and the variable is automatically set to 2,
|
|
otherwise the strategy is disabled and the variable is set to
|
|
1), and 3 means that that the strategy is always enabled.
|
|
|
|
drop_packet - INTEGER
|
|
0 - disabled (default)
|
|
|
|
The drop_packet defense is designed to drop 1/rate packets
|
|
before forwarding them to real servers. If the rate is 1, then
|
|
drop all the incoming packets.
|
|
|
|
The value definition is the same as that of the drop_entry. In
|
|
the automatic mode, the rate is determined by the follow
|
|
formula: rate = amemthresh / (amemthresh - available_memory)
|
|
when available memory is less than the available memory
|
|
threshold. When the mode 3 is set, the always mode drop rate
|
|
is controlled by the /proc/sys/net/ipv4/vs/am_droprate.
|
|
|
|
expire_nodest_conn - BOOLEAN
|
|
0 - disabled (default)
|
|
not 0 - enabled
|
|
|
|
The default value is 0, the load balancer will silently drop
|
|
packets when its destination server is not available. It may
|
|
be useful, when user-space monitoring program deletes the
|
|
destination server (because of server overload or wrong
|
|
detection) and add back the server later, and the connections
|
|
to the server can continue.
|
|
|
|
If this feature is enabled, the load balancer will expire the
|
|
connection immediately when a packet arrives and its
|
|
destination server is not available, then the client program
|
|
will be notified that the connection is closed. This is
|
|
equivalent to the feature some people requires to flush
|
|
connections when its destination is not available.
|
|
|
|
expire_quiescent_template - BOOLEAN
|
|
0 - disabled (default)
|
|
not 0 - enabled
|
|
|
|
When set to a non-zero value, the load balancer will expire
|
|
persistent templates when the destination server is quiescent.
|
|
This may be useful, when a user makes a destination server
|
|
quiescent by setting its weight to 0 and it is desired that
|
|
subsequent otherwise persistent connections are sent to a
|
|
different destination server. By default new persistent
|
|
connections are allowed to quiescent destination servers.
|
|
|
|
If this feature is enabled, the load balancer will expire the
|
|
persistence template if it is to be used to schedule a new
|
|
connection and the destination server is quiescent.
|
|
|
|
nat_icmp_send - BOOLEAN
|
|
0 - disabled (default)
|
|
not 0 - enabled
|
|
|
|
It controls sending icmp error messages (ICMP_DEST_UNREACH)
|
|
for VS/NAT when the load balancer receives packets from real
|
|
servers but the connection entries don't exist.
|
|
|
|
secure_tcp - INTEGER
|
|
0 - disabled (default)
|
|
|
|
The secure_tcp defense is to use a more complicated TCP state
|
|
transition table. For VS/NAT, it also delays entering the
|
|
TCP ESTABLISHED state until the three way handshake is completed.
|
|
|
|
The value definition is the same as that of drop_entry and
|
|
drop_packet.
|
|
|
|
sync_threshold - INTEGER
|
|
default 3
|
|
|
|
It sets synchronization threshold, which is the minimum number
|
|
of incoming packets that a connection needs to receive before
|
|
the connection will be synchronized. A connection will be
|
|
synchronized, every time the number of its incoming packets
|
|
modulus 50 equals the threshold. The range of the threshold is
|
|
from 0 to 49.
|
|
|
|
snat_reroute - BOOLEAN
|
|
0 - disabled
|
|
not 0 - enabled (default)
|
|
|
|
If enabled, recalculate the route of SNATed packets from
|
|
realservers so that they are routed as if they originate from the
|
|
director. Otherwise they are routed as if they are forwarded by the
|
|
director.
|
|
|
|
If policy routing is in effect then it is possible that the route
|
|
of a packet originating from a director is routed differently to a
|
|
packet being forwarded by the director.
|
|
|
|
If policy routing is not in effect then the recalculated route will
|
|
always be the same as the original route so it is an optimisation
|
|
to disable snat_reroute and avoid the recalculation.
|
|
|
|
sync_version - INTEGER
|
|
default 1
|
|
|
|
The version of the synchronisation protocol used when sending
|
|
synchronisation messages.
|
|
|
|
0 selects the original synchronisation protocol (version 0). This
|
|
should be used when sending synchronisation messages to a legacy
|
|
system that only understands the original synchronisation protocol.
|
|
|
|
1 selects the current synchronisation protocol (version 1). This
|
|
should be used where possible.
|
|
|
|
Kernels with this sync_version entry are able to receive messages
|
|
of both version 1 and version 2 of the synchronisation protocol.
|