|
Hello,
On Wed, 14 Feb 2001, Laurent Lefoll wrote:
> Hi,
>
> If I am not misunderstanding something, the variable
> /proc/sys/net/ipv4/vs/timeout_established gives the time a TCP connection can
> be
> idle and after that the entry corresponding to this connection is cleared. My
> problem is that it seems that sometimes it's not the case. For example I have
> a
> system (2.2.16 and ipvs 0.9.15) with
> /proc/sys/net/ipv4/vs/timeout_established
> = 480 but the entries are created with a real timeout of 120 ! On another
> system
Read http://www.linuxvirtualserver.org/defense.html
3. The secure_tcp defense strategy
The above is the place where the timeouts are explained.
They are valid for the defense strategies only. For TCP EST state you
need to read the ipchains man page: ipchains -M -S 480 0 0
> I have the same value for /proc/sys/net/ipv4/vs/timeout_established but the
> entries are created with a real timeout of 15 min. Are there any other
> parameters affecting the real timeout or am I wrong somewhere ?
>
> Another question : what is the usefulness of the ICMP packets that are sent
> when
> new packets arrives for a TCP connection that timed out for in LVS box ? I
> understand obviously for UDP but I don't see their role for a TCP
> connection...
I assume your question is about the reply after
ip_vs_lookup_real_service.
It is used to remove the open request in SYN_RECV state in the
real server. LVS replies for more states and may be some OSes report
them as soft errors (Linux), others can report them as hard errors,
who knows.
> Thanks
>
> Laurent
Regards
--
Julian Anastasov <ja@xxxxxx>
|
