1IPVSADM(8)                Linux Administrator's Guide               IPVSADM(8)
2
3
4

NAME

6       ipvsadm - Linux Virtual Server administration
7

SYNOPSIS

9       ipvsadm -A|E virtual-service [-s scheduler]
10               [-p [timeout]] [-M netmask] [-b sched-flags]
11       ipvsadm -D virtual-service
12       ipvsadm -C
13       ipvsadm -R
14       ipvsadm -S [-n]
15       ipvsadm -a|e virtual-service -r server-address
16               [-g|i|m] [-w weight] [-x upper] [-y lower]
17       ipvsadm -d virtual-service -r server-address
18       ipvsadm -L|l [virtual-service] [options]
19       ipvsadm -Z [virtual-service]
20       ipvsadm --set tcp tcpfin udp
21       ipvsadm --start-daemon state [daemon-options]
22               [--syncid syncid]
23       ipvsadm --stop-daemon state
24       ipvsadm -h
25

DESCRIPTION

27       Ipvsadm(8)  is  used  to set up, maintain or inspect the virtual server
28       table in the Linux kernel. The Linux Virtual  Server  can  be  used  to
29       build  scalable  network  services  based  on  a cluster of two or more
30       nodes. The active node of the cluster redirects service requests  to  a
31       collection  of  server  hosts  that will actually perform the services.
32       Supported features include three protocols (TCP, UDP and  SCTP),  three
33       packet-forwarding  methods  (NAT,  tunneling,  and direct routing), and
34       eight load balancing algorithms (round  robin,  weighted  round  robin,
35       least-connection,  weighted least-connection, locality-based least-con‐
36       nection, locality-based least-connection with replication, destination-
37       hashing, and source-hashing).
38
39       The command has two basic formats for execution:
40
41       ipvsadm COMMAND virtual-service
42               [scheduling-method] [persistence options]
43
44       ipvsadm command virtual-service
45               server-address [packet-forwarding-method]
46               [weight options]
47
48       The  first  format  manipulates a virtual service and the algorithm for
49       assigning service requests to real servers.  Optionally,  a  persistent
50       timeout  and  network  mask for the granularity of a persistent service
51       and a persistence engine may be specified. The  second  format  manipu‐
52       lates  a  real  server that is associated with an existing virtual ser‐
53       vice.  When specifying a real server, the packet-forwarding method  and
54       the  weight  of the real server, relative to other real servers for the
55       virtual service, may be specified, otherwise defaults will be used.
56
57   COMMANDS
58       ipvsadm(8) recognises the commands described below. Upper-case commands
59       maintain  virtual  services.  Lower-case commands maintain real servers
60       that are associated with a virtual service.
61
62       -A, --add-service
63              Add a virtual service. A service address is uniquely defined  by
64              a triplet: IP address, port number, and protocol. Alternatively,
65              a virtual service may be defined by a firewall-mark.
66
67       -E, --edit-service
68              Edit a virtual service.
69
70       -D, --delete-service
71              Delete  a  virtual  service,  along  with  any  associated  real
72              servers.
73
74       -C, --clear
75              Clear the virtual server table.
76
77       -R, --restore
78              Restore  Linux  Virtual  Server rules from stdin. Each line read
79              from stdin will be treated as the command line options to a sep‐
80              arate  invocation  of ipvsadm. Lines read from stdin can option‐
81              ally begin with "ipvsadm".  This option is useful to avoid  exe‐
82              cuting  a large number or ipvsadm  commands when constructing an
83              extensive routing table.
84
85       -S, --save
86              Dump the Linux Virtual Server rules to stdout in a  format  that
87              can be read by -R|--restore.
88
89       -a, --add-server
90              Add a real server to a virtual service.
91
92       -e, --edit-server
93              Edit a real server in a virtual service.
94
95       -d, --delete-server
96              Remove a real server from a virtual service.
97
98       -L, -l, --list
99              List  the virtual server table if no argument is specified. If a
100              service-address is selected, list this service only. If  the  -c
101              option is selected, then display the connection table. The exact
102              output is affected by the other arguments given.
103
104       -Z, --zero
105              Zero the packet, byte and rate counters in a service or all ser‐
106              vices.
107
108       --set tcp tcpfin udp
109              Change  the  timeout values used for IPVS connections. This com‐
110              mand always takes  3  parameters,   representing   the   timeout
111              values (in seconds) for TCP sessions, TCP sessions after receiv‐
112              ing a  FIN packet, and  UDP  packets, respectively.   A  timeout
113              value 0 means that the current timeout value of the  correspond‐
114              ing  entry  is preserved.
115
116       --start-daemon state
117              Start the connection synchronization daemon.  The  state  is  to
118              indicate  that  the  daemon  is started as master or backup. The
119              connection synchronization  daemon  is  implemented  inside  the
120              Linux kernel. The master daemon running at the primary load bal‐
121              ancer multicasts changes of connections  periodically,  and  the
122              backup daemon running at the backup load balancers receives mul‐
123              ticast message and creates corresponding connections.  Then,  in
124              case  the  primary  load  balancer fails, a backup load balancer
125              will takeover, and it has state of almost  all  connections,  so
126              that  almost  all established connections can continue to access
127              the service.
128
129       The sync daemon supports IPv4 and IPv6 connections.
130
131       --stop-daemon
132              Stop the connection synchronization daemon.
133
134       -h, --help
135              Display a description of the command syntax.
136
137   virtual-service
138       Specifies the virtual service based on protocol/addr/port  or  firewall
139       mark.
140
141       -t, --tcp-service service-address
142              Use TCP service. The service-address is of the form host[:port].
143              Host may be one of a plain IP address or a hostname. Port may be
144              either a plain port number or the service name of port. The Port
145              may be omitted, in which case zero will be used. A Port  of zero
146              is  only  valid if the service is persistent as the -p|--persis‐
147              tent option, in which case it is a wild-card port, that is  con‐
148              nections will be accepted to any port.
149
150       -u, --udp-service service-address
151              Use UDP service. See the -t|--tcp-service for the description of
152              the service-address.
153
154       --sctp-service service-address
155              Use SCTP service. See the -t|--tcp-service for  the  description
156              of the service-address.
157
158       -f, --fwmark-service integer
159              Use  a  firewall-mark,  an  integer  value greater than zero, to
160              denote a virtual service instead of an address, port and  proto‐
161              col  (UDP, TCP or SCTP). The marking of packets with a firewall-
162              mark is configured using the -m|--mark  option  to  iptables(8),
163              the meta mark set value option to nft(8) or via an eBPF program.
164              It can be used to build a virtual service  associated  with  the
165              same real servers, covering multiple IP address, port and proto‐
166              col triplets. If IPv6 addresses are used, the -6 option must  be
167              used.
168
169              Using  firewall-mark  virtual  services  provides  a  convenient
170              method of grouping together different IP  addresses,  ports  and
171              protocols into a single virtual service. This is useful for both
172              simplifying configuration if a large number of virtual  services
173              are  required  and grouping persistence across what would other‐
174              wise be multiple virtual services.
175
176   PARAMETERS
177       The commands above accept or require zero  or  more  of  the  following
178       parameters.
179
180       -s, --scheduler scheduling-method
181              scheduling-method   Algorithm for allocating TCP connections and
182              UDP datagrams to real servers.  Scheduling algorithms are imple‐
183              mented as kernel modules. Ten are shipped with the Linux Virtual
184              Server:
185
186              rr - Round Robin: distributes jobs equally amongst the available
187              real servers.
188
189              wrr - Weighted Round Robin: assigns jobs to real servers propor‐
190              tionally to there real  servers'  weight.  Servers  with  higher
191              weights  receive  new  jobs first and get more jobs than servers
192              with lower weights. Servers with equal weights get an equal dis‐
193              tribution of new jobs.
194
195              lc  -  Least-Connection:  assigns more jobs to real servers with
196              fewer active jobs.
197
198              wlc - Weighted Least-Connection: assigns more  jobs  to  servers
199              with  fewer  jobs  and  relative  to  the  real  servers' weight
200              (Ci/Wi). This is the default.
201
202              lblc - Locality-Based Least-Connection:  assigns  jobs  destined
203              for  the same IP address to the same server if the server is not
204              overloaded and available; otherwise assign jobs to servers  with
205              fewer jobs, and keep it for future assignment.
206
207              lblcr   -   Locality-Based  Least-Connection  with  Replication:
208              assigns jobs destined for the same IP address to the  least-con‐
209              nection  node  in  the server set for the IP address. If all the
210              node in the server set are over loaded, it picks up a node  with
211              fewer  jobs  in the cluster and adds it in the sever set for the
212              target. If the server set has not been modified for  the  speci‐
213              fied  time, the most loaded node is removed from the server set,
214              in order to avoid high degree of replication.
215
216              dh - Destination Hashing: assigns jobs to servers through  look‐
217              ing  up a statically assigned hash table by their destination IP
218              addresses.
219
220              sh - Source Hashing: assigns jobs to servers through looking  up
221              a  statically  assigned hash table by their source IP addresses.
222              This scheduler has two flags: sh-fallback, which  enables  fall‐
223              back  to  a different server if the selected server was unavail‐
224              able, and sh-port, which adds the source port number to the hash
225              computation.
226
227              sed  -  Shortest  Expected Delay: assigns an incoming job to the
228              server with the shortest expected delay. The expected delay that
229              the  job  will  experience  is (Ci + 1) / Ui if  sent to the ith
230              server, in which Ci is the number of jobs on the the ith  server
231              and Ui is the fixed service rate (weight) of the ith server.
232
233              nq  -  Never Queue: assigns an incoming job to an idle server if
234              there is, instead of waiting for a fast one; if all the  servers
235              are busy, it adopts the Shortest Expected Delay policy to assign
236              the job.
237
238              fo - Weighted Failover: assigns an incoming job  to  the  server
239              with the highest weight that is currently available.
240
241              ovf  -  Weighted Overflow: assigns an incoming job to the server
242              with the highest weight that is currently  available  and  over‐
243              flows  to  the  next  when  active connections exceed the node's
244              weight. Note that this scheduler might not be suitable  for  UDP
245              because it only uses active connections.
246
247              mh  -  Maglev  Hashing:  assigns incoming jobs based on Google's
248              Maglev hashing algorithm, providing an  almost  equal  share  of
249              jobs  to  each real server and provides minimal disruption. When
250              the set of real servers changes, a  connection  will  likely  be
251              sent  to  the same real server as it was before.  This scheduler
252              has two flags: mh-fallback, which enables fallback to a  differ‐
253              ent  server if the selected server was unavailable, and mh-port,
254              which adds the source port number to the hash computation.
255
256       -p, --persistent [timeout]
257              Specify that a virtual service is persistent. If this option  is
258              specified, multiple requests from a client are redirected to the
259              same real server selected for the  first  request.   Optionally,
260              the  timeout  of  persistent  sessions may be specified given in
261              seconds, otherwise the default of 300 seconds will be used. This
262              option  may be used in conjunction with protocols such as SSL or
263              FTP where it is important that clients consistently connect with
264              the same real server.
265
266              Note:  If  a  virtual  service is to handle FTP connections then
267              persistence must be set for the virtual service if Direct  Rout‐
268              ing  or  Tunnelling is used as the forwarding mechanism. If Mas‐
269              querading is used in conjunction with an FTP service  than  per‐
270              sistence  is not necessary, but the ip_vs_ftp kernel module must
271              be used.  This module may be manually inserted into  the  kernel
272              using insmod(8).
273
274       -M, --netmask netmask
275              Specify  the granularity with which clients are grouped for per‐
276              sistent virtual services.  The source address of the request  is
277              masked with this netmask to direct all clients from a network to
278              the same real server. The default is 255.255.255.255,  that  is,
279              the  persistence  granularity  is per client host. Less specific
280              netmasks may be used to  resolve  problems  with  non-persistent
281              cache  clusters  on  the  client  side.  IPv6 netmasks should be
282              specified as a prefix length between 1  and  128.   The  default
283              prefix length is 128.
284
285       --pe persistence-engine
286              Specify  an alternative persistence engine to be used. Currently
287              the only alternative persistence engine available is sip.
288
289       -b, --sched-flags sched-flags
290              Set scheduler flags for this virtual server.  sched-flags  is  a
291              comma-separated  list  of flags.  See the scheduler descriptions
292              for valid scheduler flags.
293
294       -r, --real-server server-address
295              Real server that  an  associated  request  for  service  may  be
296              assigned  to.   The server-address is the host address of a real
297              server, and may plus port. Host can be either a plain IP address
298              or  a  hostname.   Port can be either a plain port number or the
299              service name of port.  In the case of the  masquerading  method,
300              the  host address is usually an RFC 1918 private IP address, and
301              the port can be different from that of the  associated  service.
302              With  the  tunneling  and  direct  routing methods, port must be
303              equal to that of the service address. For normal  services,  the
304              port  specified   in the service address will be used if port is
305              not specified. For fwmark services,  port  may  be  omitted,  in
306              which  case  the destination port on the real server will be the
307              destination port of the request sent to the virtual service.
308
309       [packet-forwarding-method]
310
311              -g, --gatewaying  Use gatewaying (direct routing). This  is  the
312              default.
313
314              -i, --ipip  Use ipip encapsulation (tunneling).
315
316                      --tun-type tun-type
317                              tun-type  is  one  of ipip|gue|gre.  The default
318              value of tun-type is ipip.
319
320                      --tun-port tun-port
321                              tun-port is an integer specifying  the  destina‐
322              tion port.  Only valid for tun-type gue.
323
324                      --tun-nocsum
325                              Specify that tunnel checksums are disabled. This
326              is the default.  Only valid for tun-type gue and gre.
327
328                      --tun-csum
329                              Specify that tunnel checksums are enabled.  Only
330              valid for tun-type gue and gre.
331
332                      --tun-remcsum
333                              Specify that Remote Checksum Offload is enabled.
334              Only valid for tun-type gue.
335
336              -m, --masquerading  Use masquerading  (network  access  transla‐
337              tion, or NAT).
338
339              Note:   Regardless of the packet-forwarding mechanism specified,
340              real servers for addresses for which there are interfaces on the
341              local node will be use the local forwarding method, then packets
342              for the servers will be passed to upper layer on the local node.
343              This cannot be specified by ipvsadm, rather it set by the kernel
344              as real servers are added or modified.
345
346       -w, --weight weight
347              Weight is an integer specifying the capacity  of a server  rela‐
348              tive to the others in the pool. The valid values of weight are 0
349              through to 65535. The default is 1. Quiescent servers are speci‐
350              fied  with  a weight of zero. A quiescent server will receive no
351              new jobs but still serve the existing jobs, for  all  scheduling
352              algorithms  distributed with the Linux Virtual Server. Setting a
353              quiescent server may be useful if the server  is  overloaded  or
354              needs to be taken out of service for maintenance.
355
356       -x, --u-threshold uthreshold
357              uthreshold is an integer specifying the upper connection thresh‐
358              old of a server. The valid values of uthreshold are 0 through to
359              65535.  The  default  is  0,  which  means  the upper connection
360              threshold is not set. If uthreshold is set with other values, no
361              new  connections  will  be sent to the server when the number of
362              its connections exceeds its upper connection threshold.
363
364       -y, --l-threshold lthreshold
365              lthreshold is an integer specifying the lower connection thresh‐
366              old of a server. The valid values of lthreshold are 0 through to
367              65535. The default  is  0,  which  means  the  lower  connection
368              threshold  is  not  set. If lthreshold is set with other values,
369              the server will receive new connections when the number  of  its
370              connections  drops  below  its  lower  connection  threshold. If
371              lthreshold is not set but uthreshold is  set,  the  server  will
372              receive new connections when the number of its connections drops
373              below three forth of its upper connection threshold.
374
375       -c, --connection
376              Connection output. The list command with this option  will  list
377              current IPVS connections.
378
379       --timeout
380              Timeout  output.  The list command with this option will display
381              the  timeout values (in seconds) for TCP sessions, TCP  sessions
382              after receiving a FIN packet, and UDP packets.
383
384       --daemon
385              Daemon  information  output.  The  list command with this option
386              will display the daemon status and its multicast interface.
387
388       --stats
389              Output of statistics information. The  list  command  with  this
390              option  will  display the statistics information of services and
391              their servers.
392
393       --rate Output of rate information. The list command  with  this  option
394              will  display  the rate information (such as connections/second,
395              bytes/second and packets/second) of services and their servers.
396
397       --thresholds
398              Output of thresholds information. The  list  command  with  this
399              option  will display the upper/lower connection threshold infor‐
400              mation of each server in service listing.
401
402       --persistent-conn
403              Output of persistent connection information.  The  list  command
404              with  this option will display the persistent connection counter
405              information of each server in service  listing.  The  persistent
406              connection  is  used  to forward the actual connections from the
407              same client/network to the same server.
408
409              The list command with  the  -c,  --connection  option  and  this
410              option  will include persistence engine data, if any is present,
411              when listing connections.
412
413       --tun-info
414              Output of tunneling information.  The  list  command  with  this
415              option  will  display  the tunneling information of services and
416              their servers.
417
418       --sort Sort the list of virtual services and real servers. The  virtual
419              service  entries  are  sorted  in  ascending order by <protocol,
420              address, port>. The real server entries are sorted in  ascending
421              order by <address, port>. (default)
422
423       --nosort
424              Do not sort the list of virtual services and real servers.
425
426       -n, --numeric
427              Numeric  output.   IP addresses and port numbers will be printed
428              in numeric format rather than as  as  host  names  and  services
429              respectively, which is the  default.
430
431       --exact
432              Expand numbers.  Display the exact value of the packet and  byte
433              counters,  instead  of only the rounded number in K's (multiples
434              of  1000) M's (multiples of 1000K) or G's (multiples  of 1000M).
435              This option is only relevant for the -L command.
436
437       -6, --ipv6
438              Use with -f to signify fwmark rule uses IPv6 addresses.
439
440       -o, --ops
441              One-packet scheduling.  Used in conjunction with a  UDP  virtual
442              service  or a fwmark virtual service that handles only UDP pack‐
443              ets.  All connections are created such that they  only  schedule
444              one packet.
445
446   PARAMETERS FOR SYNCHRONIZATION DAEMON
447       The --start-daemon requires zero or more of the following parameters.
448
449       --syncid syncid
450              Specify the syncid that the sync master daemon fills in the Syn‐
451              cID header while sending multicast messages, or the sync  backup
452              daemon  uses  to  filter out multicast messages not matched with
453              the SyncID value. The valid values of syncid are  0  through  to
454              255. The default is 0, which means no filtering at all.
455
456       --sync-maxlen length
457              Specify  the desired length of sync messages (UDP payload size).
458              It is expected that backup server will use value not  less  than
459              the used value in master server.  The valid values of length are
460              in the 1 .. (65535 - 20 - 8) range  but  the  kernel  ensures  a
461              space for at least one sync message.  If value is lower than MTU
462              the sync messages will be fragmented by IP layer.   The  default
463              value  is  derived from the MTU value when daemon is started but
464              master daemon will not default to value above 1500 for  compati‐
465              bility reasons.
466
467       --mcast-interface interface
468              Specify  the  multicast  interface  that  the sync master daemon
469              sends outgoing multicasts through, or  the  sync  backup  daemon
470              listens to for multicasts.
471
472       --mcast-group address
473              Specify  IPv4  or  IPv6 multicast address for the sync messages.
474              The default value is 224.0.0.81.
475
476       --mcast-port port
477              Specify the UDP port for sync messages.  The  default  value  is
478              8848.
479
480       --mcast-ttl ttl
481              Specify the TTL value for sync messages (1 .. 255).  The default
482              value is 1.
483

EXAMPLE 1 - Simple Virtual Service

485       The following commands configure a Linux Director to distribute  incom‐
486       ing  requests addressed to port 80 on 207.175.44.110 equally to port 80
487       on five real servers. The forwarding method used  in  this  example  is
488       NAT,  with  each  of  the  real  servers being masqueraded by the Linux
489       Director.
490
491       ipvsadm -A -t 207.175.44.110:80 -s rr
492       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.1:80 -m
493       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.2:80 -m
494       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.3:80 -m
495       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.4:80 -m
496       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.5:80 -m
497
498       Alternatively, this could be achieved in a single ipvsadm command.
499
500       echo "
501       -A -t 207.175.44.110:80 -s rr
502       -a -t 207.175.44.110:80 -r 192.168.10.1:80 -m
503       -a -t 207.175.44.110:80 -r 192.168.10.2:80 -m
504       -a -t 207.175.44.110:80 -r 192.168.10.3:80 -m
505       -a -t 207.175.44.110:80 -r 192.168.10.4:80 -m
506       -a -t 207.175.44.110:80 -r 192.168.10.5:80 -m
507       " | ipvsadm -R
508
509       As masquerading is used as the forwarding mechanism  in  this  example,
510       the  default  route of the real servers must be set to the linux direc‐
511       tor, which will need to be configured to forward and  masquerade  pack‐
512       ets. This can be achieved using the following commands:
513
514       echo "1" > /proc/sys/net/ipv4/ip_forward
515

EXAMPLE 2 - Firewall-Mark Virtual Service

517       The  following commands configure a Linux Director to distribute incom‐
518       ing requests addressed to any port on 207.175.44.110 or  207.175.44.111
519       equally to the corresponding port on five real servers. As per the pre‐
520       vious example, the forwarding method used in this example is NAT,  with
521       each of the real servers being masqueraded by the Linux Director.
522
523       ipvsadm -A -f 1  -s rr
524       ipvsadm -a -f 1 -r 192.168.10.1:0 -m
525       ipvsadm -a -f 1 -r 192.168.10.2:0 -m
526       ipvsadm -a -f 1 -r 192.168.10.3:0 -m
527       ipvsadm -a -f 1 -r 192.168.10.4:0 -m
528       ipvsadm -a -f 1 -r 192.168.10.5:0 -m
529
530       As  masquerading  is  used as the forwarding mechanism in this example,
531       the default route of the real servers must be set to the  linux  direc‐
532       tor,  which  will need to be configured to forward and masquerade pack‐
533       ets. The real server should also be configured to mark incoming packets
534       addressed  to any port on 207.175.44.110 and  207.175.44.111 with fire‐
535       wall-mark 1. If FTP traffic is to be handled by this  virtual  service,
536       then  the ip_vs_ftp kernel module needs to be inserted into the kernel.
537       These operations can be achieved using the following commands:
538
539       echo "1" > /proc/sys/net/ipv4/ip_forward
540       modprobe ip_tables
541       iptables  -A PREROUTING -t mangle -d 207.175.44.110/31 -j MARK --set-mark 1
542       modprobe ip_vs_ftp
543

EXAMPLE 3 - Virtual Service with GUE Tunneling

545       The following commands configure a Linux Director to distribute  incom‐
546       ing  requests addressed to port 80 on 207.175.44.110 equally to port 80
547       on five real servers. The forwarding method used  in  this  example  is
548       tunneling with gue encapsulation.
549
550       ipvsadm -A -t 207.175.44.110:80 -s rr
551       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.1:80 -i --tun-type gue --tun-port 6080 --tun-nocsum
552       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.2:80 -i --tun-type gue --tun-port 6080 --tun-csum
553       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.3:80 -i --tun-type gue --tun-port 6080 --tun-remcsum
554       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.4:80 -i --tun-type gue --tun-port 6078
555       ipvsadm -a -t 207.175.44.110:80 -r 192.168.10.5:80 -i --tun-type gue --tun-port 6079
556
557       Alternatively, this could be achieved in a single ipvsadm command.
558
559       echo "
560       -A -t 207.175.44.110:80 -s rr
561       -a -t 207.175.44.110:80 -r 192.168.10.1:80 -i --tun-type gue --tun-port 6080 --tun-nocsum
562       -a -t 207.175.44.110:80 -r 192.168.10.2:80 -i --tun-type gue --tun-port 6080 --tun-csum
563       -a -t 207.175.44.110:80 -r 192.168.10.3:80 -i --tun-type gue --tun-port 6080 --tun-remcsum
564       -a -t 207.175.44.110:80 -r 192.168.10.4:80 -i --tun-type gue --tun-port 6078
565       -a -t 207.175.44.110:80 -r 192.168.10.5:80 -i --tun-type gue --tun-port 6079
566       " | ipvsadm -R
567

EXAMPLE 4 - Virtual Service with GRE Tunneling

569       The following commands configure a Linux Director to use GRE encapsula‐
570       tion.
571
572       ipvsadm -A -t 10.0.0.1:80 -s rr
573       ipvsadm -a -t 10.0.0.1:80 -r 192.168.11.1:80 -i --tun-type gre --tun-csum
574

IPv6

576       IPv6 addresses should be surrounded by square brackets ([ and ]).
577
578       ipvsadm -A -t [2001:db8::80]:80 -s rr
579       ipvsadm -a -t [2001:db8::80]:80 -r [2001:db8::a0a0]:80 -m
580
581       fwmark IPv6 services require the -6 option.
582

NOTES

584       The Linux Virtual Server implements three  defense  strategies  against
585       some  types of denial of service (DoS) attacks. The Linux Director cre‐
586       ates an entry for each connection in order to keep its state, and  each
587       entry occupies 128 bytes effective memory. LVS's vulnerability to a DoS
588       attack lies in the potential to increase the number entries as much  as
589       possible until the linux director runs out of memory. The three defense
590       strategies against the attack are: Randomly drop some  entries  in  the
591       table.  Drop  1/rate packets before forwarding them. And use secure tcp
592       state transition table and short  timeouts.  The  strategies  are  con‐
593       trolled  by  sysctl  variables  and  corresponding entries in the /proc
594       filesystem:
595
596       /proc/sys/net/ipv4/vs/drop_entry      /proc/sys/net/ipv4/vs/drop_packet
597       /proc/sys/net/ipv4/vs/secure_tcp
598
599       Valid values for each variable are 0 through to 3. The default value is
600       0, which disables the respective defense strategy. 1 and  2  are  auto‐
601       matic  modes - when there is no enough available memory, the respective
602       strategy will be enabled and the variable is automatically  set  to  2,
603       otherwise  the  strategy  is  disabled  and the variable is set to 1. A
604       value of 3 denotes that the respective strategy is always enabled.  The
605       available  memory  threshold and secure TCP timeouts can be tuned using
606       the sysctl variables and corresponding entries in the /proc filesystem:
607
608       /proc/sys/net/ipv4/vs/amemthresh /proc/sys/net/ipv4/vs/timeout_*
609

FILES

611       /proc/net/ip_vs
612       /proc/net/ip_vs_app
613       /proc/net/ip_vs_conn
614       /proc/net/ip_vs_stats
615       /proc/sys/net/ipv4/vs/am_droprate
616       /proc/sys/net/ipv4/vs/amemthresh
617       /proc/sys/net/ipv4/vs/drop_entry
618       /proc/sys/net/ipv4/vs/drop_packet
619       /proc/sys/net/ipv4/vs/secure_tcp
620       /proc/sys/net/ipv4/vs/timeout_close
621       /proc/sys/net/ipv4/vs/timeout_closewait
622       /proc/sys/net/ipv4/vs/timeout_established
623       /proc/sys/net/ipv4/vs/timeout_finwait
624       /proc/sys/net/ipv4/vs/timeout_icmp
625       /proc/sys/net/ipv4/vs/timeout_lastack
626       /proc/sys/net/ipv4/vs/timeout_listen
627       /proc/sys/net/ipv4/vs/timeout_synack
628       /proc/sys/net/ipv4/vs/timeout_synrecv
629       /proc/sys/net/ipv4/vs/timeout_synsent
630       /proc/sys/net/ipv4/vs/timeout_timewait
631       /proc/sys/net/ipv4/vs/timeout_udp
632

SEE ALSO

634       The LVS web site (http://www.linuxvirtualserver.org/) for more documen‐
635       tation about LVS.
636
637       ipvsadm-save(8), ipvsadm-restore(8), iptables(8),
638       insmod(8), modprobe(8)
639

AUTHORS

641       ipvsadm - Wensong Zhang <wensong@linuxvirtualserver.org>
642              Peter Kese <peter.kese@ijs.si>
643       man page - Mike Wangsmo <wanger@redhat.com>
644               Wensong Zhang <wensong@linuxvirtualserver.org>
645               Horms <horms@verge.net.au>
646
647
648
6494th Berkeley Distribution        5th July 2003                      IPVSADM(8)
Impressum