Index: ipvsadm.8
===================================================================
RCS file: /home/umcvs/cvs/ipvs-1.0/ipvs/ipvsadm/ipvsadm.8,v
retrieving revision 1.1.1.6
diff -u -r1.1.1.6 ipvsadm.8
--- ipvsadm.8	15 Nov 2002 02:22:55 -0000	1.1.1.6
+++ ipvsadm.8	24 Apr 2003 04:24:48 -0000
@@ -13,7 +13,8 @@
 .\"       Wensong Zhang    :  Added a short note about the defense strategies
 .\"       Horms            :  Tidy up some of the description and the
 .\"                           grammar in the -f and sysctl sections
-.\"       Wensong Zhang    :  --set option description taken from ipchains(8)
+.\"       Wensong Zhang    :  -set option description taken from ipchains(8)
+.\"       Horms            :  Document of all proc entries.
 .\"
 .\"     This program is free software; you can redistribute it and/or modify
 .\"     it under the terms of the GNU General Public License as published by
@@ -71,7 +72,7 @@
 nodes. The active node of the cluster redirects service requests to a
 collection of server hosts that will actually perform the
 services. Supported features include two protocols (TCP and UDP),
-three packet-forwarding methods (NAT, tunneling, and direct routing),
+three packet-forwarding methods (NAT, tunnelling, and direct routing),
 and eight load balancing algorithms (round robin, weighted round
 robin, least-connection, weighted least-connection, locality-based
 least-connection, locality-based least-connection with replication,
@@ -152,21 +153,32 @@
 seconds) for TCP sessions, TCP sessions after receiving a  FIN
 packet, and  UDP  packets, respectively.  A timeout value 0 means that
 the current timeout value of the  corresponding  entry  is preserved.
+Please also see the notes entries in the proc filesystem for various
+timeouts below.
 .TP
-.B --start-daemon \fIstate\fP
-Start the connection synchronization daemon. The \fIstate\fP is to
-indicate that the daemon is started as \fImaster\fP or \fIbackup\fP. The
-connection synchronization daemon is implemented inside the Linux
-kernel. The master daemon running at the primary load balancer
+.B --start-daemon \fImaster|backup\fP
+Start the connection synchronisation daemon. The
+connection synchronisation daemon is implemented inside the Linux
+kernel. The master daemon running on the primary load balancer
 multicasts changes of connections periodically, and the backup daemon
-running at the backup load balancers receives multicast message and
-creates corresponding connections. Then, in case the primary load
-balancer fails, a backup load balancer will takeover, and it has state
-of almost all connections, so that almost all established connections
+running on the backup load balancers receives multicast message and
+creates corresponding connections. Then, if the primary load
+balancer fails and backup load balancer takes over, it has the state
+of almost all connections. Thus, almost all established connections
 can continue to access the service.
+.sp
+The the behaviour of the synchronisation daemon can be manipulated through
+an entry in the proc filesystem . Values outside of the valid range given 
+will be rounded up or down as necessary.
+.sp
+/proc/sys/net/ipv4/vs/sync_threshold sets the synchronisation threshold \-
+the minimum number of packets a connection needs to receive before it will
+be synchronised.  The default is 3 and the useful range is from 0 to 50.
+Once this threshold is passed the connection will be synchronised every 50th
+packet.
 .TP
 .B --stop-daemon
-Stop the connection synchronization daemon.
+Stop the connection synchronisation daemon.
 .TP
 \fB-h, --help\fR
 Display a description of the command syntax.
@@ -192,8 +204,8 @@
 virtual service instead of an address, port and protocol (UDP or
 TCP). The marking of packets with a firewall-mark is configured using
 the -m|--mark option to \fBiptables\fR(8). It can be used to build a
-virtual service assoicated with the same real servers, covering
-multiple IP addresss, port and protocol tripplets.
+virtual service associated with the same real servers, covering
+multiple IP address, port and protocol triplets.
 .sp
 Using firewall-mark virtual services provides a convenient method of
 grouping together different IP addresses, ports and protocols into a
@@ -275,10 +287,10 @@
 service name of port.  In the case of the masquerading method, the
 host address is usually an RFC 1918 private IP address, and the port
 can be different from that of the associated service. With the
-tunneling and direct routing methods, \fIport\fP must be equal to that
+tunnelling and direct routing methods, \fIport\fP must be equal to that
 of the service address. For normal services, the port specified  in
 the service address will be used if \fIport\fP is not specified. For
-fwmark services, \fIport\fP may be ommitted, in which case  the
+fwmark services, \fIport\fP may be omitted, in which case  the
 destination port on the real server will be the destination port of
 the request sent to the virtual service.
 .TP
@@ -286,7 +298,7 @@
 .sp
 \fB-g, --gatewaying\fR  Use gatewaying (direct routing). This is the default.
 .sp
-\fB-i, --ipip\fR  Use ipip encapsulation (tunneling).
+\fB-i, --ipip\fR  Use ipip encapsulation (tunnelling).
 .sp
 \fB-m, --masquerading\fR  Use masquerading (network access translation, or NAT).
 .sp
@@ -415,34 +427,140 @@
 modprobe ip_vs_ftp
 .fi
 .SH NOTES
-The Linux Virtual Server implements three defense strategies against
+.B Denial of Service Attack Protection
+.PP
+The Linux Virtual Server implements three defence strategies against
 some types of denial of service (DoS) attacks. The Linux Director
 creates an entry for each connection in order to keep its state, and
 each entry occupies 128 bytes effective memory. LVS's vulnerability to
 a DoS attack lies in the potential to increase the number entries as
 much as possible until the linux director runs out of memory. The
-three defense strategies against the attack are: Randomly drop some
+three defence strategies against the attack are: Randomly drop some
 entries in the table. Drop 1/rate packets before forwarding them. And
 use secure tcp state transition table and short timeouts. The
 strategies are controlled by sysctl variables and corresponding
-entries in the /proc filesystem:
-.sp
+entries in the proc filesystem:
+.TP
 /proc/sys/net/ipv4/vs/drop_entry
+.TP
 /proc/sys/net/ipv4/vs/drop_packet
+.TP
 /proc/sys/net/ipv4/vs/secure_tcp
 .PP
 Valid values for each variable are 0 through to 3. The default value
-is 0, which disables the respective defense strategy. 1 and 2 are
+is 0, which disables the respective defence strategy. 1 and 2 are
 automatic modes - when there is no enough available memory, the
 respective strategy will be enabled and the variable is automatically
 set to 2, otherwise the strategy is disabled and the variable is set
 to 1. A value of 3 denotes that the respective strategy is always
 enabled.  The available memory threshold and secure TCP timeouts can
 be tuned using the sysctl variables and corresponding entries in the
-/proc filesystem:
-.sp
+proc filesystem:
+.TP
 /proc/sys/net/ipv4/vs/amemthresh
-/proc/sys/net/ipv4/vs/timeout_*
+Threshold to activate DoS protection strategies which have been set to
+automatic (1 or 2). The value is in kernel pages, 4096 bytes on
+ia-32 architecture. Once the number of free kernel pages falls below this
+value the strategy will be enabled. Once the number of free kernel pages
+returns above this value the strategy will be disabled. The default is
+1024.
+.sp
+If the drop_packet strategy has been set to automatic, then the
+rate at which packets are dropped is
+amemthresh/(amemthresh-free_pages).
+That is 1 in amemthresh/(amemthresh-free_pages) packets will be dropped.
+.TP
+/proc/sys/net/ipv4/vs/am_droprate
+Determines the rate at which packets are dropped if
+the drop_packet stratergy is always enabled (set to 3).
+Default is 10. That is 1 in 10 packets will be dropped.
+.PP
+\fBNote:\fR If the drop_entry stragergy is being used then
+the function which entries is dropped is currently hard-coded
+and can only be tuned by manipulating the source.
+.PP
+.B Timeouts
+.PP
+In addition to the \-\-set option which is documented above, the timeouts
+for LVS in various states can be manipulated in various states using the
+entries in the proc filesystem. For each entry the values are in seconds.
+.TP
+/proc/sys/net/ipv4/vs/timeout_close
+Timeout for TCP connections in the close-state.
+Default: 10
+.TP
+/proc/sys/net/ipv4/vs/timeout_closewait
+Timeout for TCP connections in the close-wait state.
+Default: 60
+.TP
+/proc/sys/net/ipv4/vs/timeout_established
+Timeout for established TCP connections.
+Default: 480.
+.TP
+/proc/sys/net/ipv4/vs/timeout_finwait
+Timeout for TCP connections in the fin-wait state.
+Default: 60
+.TP
+/proc/sys/net/ipv4/vs/timeout_icmp
+Timeout for ICMP replies.
+Default: 60
+.TP
+/proc/sys/net/ipv4/vs/timeout_lastack
+Timeout for TCP connections in the last-ack state.
+Default: 30
+.TP
+/proc/sys/net/ipv4/vs/timeout_listen
+Timeout for TCP connections in the LISTEN state
+Default:120
+.TP
+/proc/sys/net/ipv4/vs/timeout_synack
+Timeout for TCP connections in the syn-ack state
+Default:100
+.TP
+/proc/sys/net/ipv4/vs/timeout_synrecv
+Timeout for TCP connections in the syn-recv state
+Default:10
+.TP
+/proc/sys/net/ipv4/vs/timeout_synsent
+Timeout for TCP connections in the syn-sent state
+Default:60
+.TP
+/proc/sys/net/ipv4/vs/timeout_timewait
+Timeout for TCP connections in the time-wait state
+Default:60
+.TP
+/proc/sys/net/ipv4/vs/timeout_udp
+Timeout for UDP connections.
+Default: 180
+.PP
+.B Cache Bypass
+.PP
+When the LVS real servers are transparent proxy caches
+it is desirable that if none of the real servers are available
+requests should be send directly to their intended destination.
+This can be achieved by setting /proc/sys/net/ipv4/vs/cache_bypass to 1.
+By default this entry in the proc filesystem
+is 0 and the feature is disabled. This feature only works in
+conjunction with firewall mark virtual services. And it only
+works if the destination is non-local.
+.PP
+.B Expire Destination
+.PP
+If a real server is unavailable, LVS will continue to silently
+drop packets.  This behaviour can be changed by setting
+/proc/sys/net/ipv4/vs/expire_nodest_conn to 1.  When this is set LVS will
+expire the connection immediately if the real server is not available.
+Essentially this will flush the connections for the failed real server.
+Presumably allowing end-users to establish new connections.  By default
+this entry in the proc filesystem is 0 and the feature is disabled.
+.PP
+.B ICMP Messages for Unknown NAT Connections
+.PP
+When LVS-NAT is in use and a real server sends an ICMP message
+for an unknown connection, the message is dropped.
+This behaviour can be changed by setting
+/proc/sys/net/ipv4/vs/nat_icmp_send to 1. By default
+this entry in the proc filesystem is 0 and the feature is disabled.
 .SH FILES
 .I /proc/net/ip_vs
 .br
@@ -456,12 +574,20 @@
 .br
 .I /proc/sys/net/ipv4/vs/amemthresh
 .br
+.I /proc/sys/net/ipv4/vs/cache_bypass
+.br
 .I /proc/sys/net/ipv4/vs/drop_entry
 .br
 .I /proc/sys/net/ipv4/vs/drop_packet
 .br
+.I /proc/sys/net/ipv4/vs/expire_nodest_conn
+.br
+.I /proc/sys/net/ipv4/vs/nat_icmp_send
+.br
 .I /proc/sys/net/ipv4/vs/secure_tcp
 .br
+.I /proc/sys/net/ipv4/vs/sync_threshold
+.br
 .I /proc/sys/net/ipv4/vs/timeout_close
 .br
 .I /proc/sys/net/ipv4/vs/timeout_closewait
@@ -493,5 +619,5 @@
 	  Peter Kese <peter.kese@xxxxxx>
 man page - Mike Wangsmo <wanger@xxxxxxxxxx>
 	   Wensong Zhang <wensong@xxxxxxxxxxxxxxxxxxxxxx>
-	   Horms <horms@xxxxxxxxxxx>
+	   Horms <horms@xxxxxxxxxxxx>
 .fi