LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

Re: timeout in fedora c2

from [Roberto Nibali] [Permanent Link]
To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: timeout in fedora c2
From: Roberto Nibali <ratz@xxxxxxxxxxxx>
Date: Wed, 11 Aug 2004 08:15:48 +0200 
Hi,


Load ip_conntrack and walk the
/proc/sys/net/ipv4/netfilter tree and wonders shall hit the earth ... 



Thanks for the info. And do you think it will be used
along with secure_tcp defense strategy as
http://www.linux-vs.org/docs/defense.html described to
replace the timeouts mentioned.
I don't know (I've been out of the development loop for about a year) but I rather think not since they look kind of orthogonal to the existing netfilter timers which only got added about 6 months or so ago. One of the issues in fiddling with those timers is that they influence too much of the rest of the stack.
I also don't think the documentation is up to date anymore, it should be adjusted to reflect the current state of operation. Like that it only confuses people who don't want or can't read the kernel code. 

If you're interested, check out following path:

net/ipv4/ipvs/ip_vs_ctl.c:ip_vs_sysctl_defense_mode()
net/ipv4/ipvs/ip_vs_ctl.c:update_defense_level()
net/ipv4/ipvs/ip_vs_ctl.c:ip_vs_secure_tcp_set()
net/ipv4/ipvs/ip_vs_conn.c:"set state table, according to proc-fs value"
from there you set the TCP state transition table. If you have the secure_tcp sysctl set, the kernel will be dealing with the vs_tcp_states_dos state transition table, if you have it unset, it will be dealing with the normal vs_tcp_states table.
The related timer for the state transitions are vs_timeout_table{_dos}. In former days you could influence those timers via proc-fs. Nowadays we seem to switch to the *_dos timer model under attack according to the comment in the code. But this is not correct. It should read that as soon as the sysctrl for tcp_defense is set, we will also be using the *_dos table timers along with the vs_tcp_states_dos state transition table.
Conclusion: The disabled proc-fs values have been replace by a static hardcoded mapping of the timers for tcp_defense. I could imagine that not a lot of people really used to tweak those parameters anyway. 

HTH and best regards,
Roberto Nibali, ratz
--
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: timeout in fedora c2, Yunfeng Hou
Next by Date:  Re: roadmap of lvs and my wish list, Roberto Nibali
Previous by Thread:  Re: timeout in fedora c2, Yunfeng Hou
Next by Thread:  Setting up a lvs-tun working..., Mathieu Collas
Indexes:  [Date] [Thread] [Top] [All Lists]