Re: TCP flag NONE timer

[Horms <horms@xxxxxxxxxxxx>]

On Tue, Feb 21, 2006 at 11:41:33AM +0100, Roberto Nibali wrote:
> >I want the TCP connection removed from the table as quick as possible so
> >that next connection
> >with same CIP<---->DIP pair will be assigned to a different real server
> >providing a better load balancing(?)
> 
> Ok, we have to re-instate the state transition timer setting in proc-fs. 
> Since none of us developers has time to implement the per-app timer idea 
> forged by Julian, we should at least provide the means to instrument the 
> existing timeout values for defense mode and non-defense mode.

I'm comfortable with that.
Though do you know the details of why it was removed in the first place?

> I'll see to it, Horms, if you are willing to apply this. It will be a 
> forward port of a patch I've sent previously (2.4.x version attached for 
> comments).
> 
> This will allow us to set sharp timeout transition values in proc-fs. 
> We've been using this patch for a while now and there are now issues 
> with it.
> 
> Best regards,
> Roberto Nibali, ratz
> -- 
> echo 
> '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc

> diff -X dontdiff -Nur linux-2.4.32-orig/include/net/ip_vs.h 
> linux-2.4.32-pab2/include/net/ip_vs.h
> --- linux-2.4.32-orig/include/net/ip_vs.h     2005-11-21 12:06:21 +0100
> +++ linux-2.4.32-pab2/include/net/ip_vs.h     2006-01-25 11:11:23 +0100
> @@ -309,34 +309,48 @@
>  /*
>   *      IPVS sysctl variables under the /proc/sys/net/ipv4/vs/
>   */
> -#define NET_IPV4_VS              21
> +#define NET_IPV4_VS  39
>  
>  enum {
>       NET_IPV4_VS_DEBUG_LEVEL=1,
> -     NET_IPV4_VS_AMEMTHRESH=2,
> -     NET_IPV4_VS_AMDROPRATE=3,
> -     NET_IPV4_VS_DROP_ENTRY=4,
> -     NET_IPV4_VS_DROP_PACKET=5,
> -     NET_IPV4_VS_SECURE_TCP=6,
> -     NET_IPV4_VS_TO_ES=7,
> -     NET_IPV4_VS_TO_SS=8,
> -     NET_IPV4_VS_TO_SR=9,
> -     NET_IPV4_VS_TO_FW=10,
> -     NET_IPV4_VS_TO_TW=11,
> -     NET_IPV4_VS_TO_CL=12,
> -     NET_IPV4_VS_TO_CW=13,
> -     NET_IPV4_VS_TO_LA=14,
> -     NET_IPV4_VS_TO_LI=15,
> -     NET_IPV4_VS_TO_SA=16,
> -     NET_IPV4_VS_TO_UDP=17,
> -     NET_IPV4_VS_TO_ICMP=18,
> -     NET_IPV4_VS_LBLC_EXPIRE=19,
> -     NET_IPV4_VS_LBLCR_EXPIRE=20,
> -     NET_IPV4_VS_CACHE_BYPASS=22,
> -     NET_IPV4_VS_EXPIRE_NODEST_CONN=23,
> -     NET_IPV4_VS_SYNC_THRESHOLD=24,
> -     NET_IPV4_VS_NAT_ICMP_SEND=25,
> -     NET_IPV4_VS_EXPIRE_QUIESCENT_TEMPLATE=26,
> +     NET_IPV4_VS_AMEMTHRESH,
> +     NET_IPV4_VS_AMDROPRATE,
> +     NET_IPV4_VS_DROP_ENTRY,
> +     NET_IPV4_VS_DROP_PACKET,
> +     NET_IPV4_VS_SECURE_TCP,
> +     NET_IPV4_VS_TO_ES,
> +     NET_IPV4_VS_TO_SS,
> +     NET_IPV4_VS_TO_SR,
> +     NET_IPV4_VS_TO_FW,
> +     NET_IPV4_VS_TO_TW,
> +     NET_IPV4_VS_TO_CL,
> +     NET_IPV4_VS_TO_CW,
> +     NET_IPV4_VS_TO_LA,
> +     NET_IPV4_VS_TO_LI,
> +     NET_IPV4_VS_TO_SA,
> +     NET_IPV4_VS_TO_UDP,
> +     NET_IPV4_VS_TO_ICMP,
> +     NET_IPV4_VS_DOS_TO_ES,
> +     NET_IPV4_VS_DOS_TO_SS,
> +     NET_IPV4_VS_DOS_TO_SR,
> +     NET_IPV4_VS_DOS_TO_FW,
> +     NET_IPV4_VS_DOS_TO_TW,
> +     NET_IPV4_VS_DOS_TO_CL,
> +     NET_IPV4_VS_DOS_TO_CW,
> +     NET_IPV4_VS_DOS_TO_LA,
> +     NET_IPV4_VS_DOS_TO_LI,
> +     NET_IPV4_VS_DOS_TO_SA,
> +     NET_IPV4_VS_DOS_TO_UDP,
> +     NET_IPV4_VS_DOS_TO_ICMP,
> +     NET_IPV4_VS_LBLC_EXPIRE,
> +     NET_IPV4_VS_LBLCR_EXPIRE,
> +     NET_IPV4_VS_CACHE_BYPASS,
> +     NET_IPV4_VS_EXPIRE_NODEST_CONN,
> +     NET_IPV4_VS_SYNC_THRESHOLD,
> +     NET_IPV4_VS_NAT_ICMP_SEND,
> +     NET_IPV4_VS_THRESHOLD_FACTOR,
> +     NET_IPV4_VS_ENABLE_THRESHOLD_FACTOR,
> +     NET_IPV4_VS_EXPIRE_QUIESCENT_TEMPLATE,
>       NET_IPV4_VS_LAST
>  };

If you want to change the style of define to ommit numerical values
(which I am cool with as these values are only used in the kernel), I
think it would be better to make it a separate patch.

> diff -X dontdiff -Nur linux-2.4.32-orig/net/ipv4/ipvs/ip_vs_ctl.c 
> linux-2.4.32-pab2/net/ipv4/ipvs/ip_vs_ctl.c
> --- linux-2.4.32-orig/net/ipv4/ipvs/ip_vs_ctl.c       2005-11-21 12:06:21 
> +0100
> +++ linux-2.4.32-pab2/net/ipv4/ipvs/ip_vs_ctl.c       2006-01-25 11:05:23 
> +0100
> @@ -1427,39 +1442,75 @@
>         &sysctl_ip_vs_secure_tcp, sizeof(int), 0644, NULL,
>         &ip_vs_sysctl_defense_mode},
>        {NET_IPV4_VS_TO_ES, "timeout_established",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED],
> +       &vs_timeout_table.timeout[IP_VS_S_ESTABLISHED],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_SS, "timeout_synsent",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT],
> +       &vs_timeout_table.timeout[IP_VS_S_SYN_SENT],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_SR, "timeout_synrecv",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV],
> +       &vs_timeout_table.timeout[IP_VS_S_SYN_RECV],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_FW, "timeout_finwait",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT],
> +       &vs_timeout_table.timeout[IP_VS_S_FIN_WAIT],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_TW, "timeout_timewait",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT],
> +       &vs_timeout_table.timeout[IP_VS_S_TIME_WAIT],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_CL, "timeout_close",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE],
> +       &vs_timeout_table.timeout[IP_VS_S_CLOSE],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_CW, "timeout_closewait",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT],
> +       &vs_timeout_table.timeout[IP_VS_S_CLOSE_WAIT],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_LA, "timeout_lastack",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK],
> +       &vs_timeout_table.timeout[IP_VS_S_LAST_ACK],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_LI, "timeout_listen",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN],
> +       &vs_timeout_table.timeout[IP_VS_S_LISTEN],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_SA, "timeout_synack",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK],
> +       &vs_timeout_table.timeout[IP_VS_S_SYNACK],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_UDP, "timeout_udp",
> -       &vs_timeout_table_dos.timeout[IP_VS_S_UDP],
> +       &vs_timeout_table.timeout[IP_VS_S_UDP],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_TO_ICMP, "timeout_icmp",
> +       &vs_timeout_table.timeout[IP_VS_S_ICMP],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_ES, "dos_timeout_established",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_ESTABLISHED],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_SS, "dos_timeout_synsent",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_SYN_SENT],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_SR, "dos_timeout_synrecv",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_SYN_RECV],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_FW, "dos_timeout_finwait",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_FIN_WAIT],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_TW, "dos_timeout_timewait",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_TIME_WAIT],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_CL, "dos_timeout_close",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_CW, "dos_timeout_closewait",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_CLOSE_WAIT],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_LA, "dos_timeout_lastack",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_LAST_ACK],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_LI, "dos_timeout_listen",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_LISTEN],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_SA, "dos_timeout_synack",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_SYNACK],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_UDP, "dos_timeout_udp",
> +       &vs_timeout_table_dos.timeout[IP_VS_S_UDP],
> +       sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
> +      {NET_IPV4_VS_DOS_TO_ICMP, "dos_timeout_icmp",
>         &vs_timeout_table_dos.timeout[IP_VS_S_ICMP],
>         sizeof(int), 0644, NULL, &proc_dointvec_jiffies},
>        {NET_IPV4_VS_CACHE_BYPASS, "cache_bypass",

The above hunk should look quite different on 2.6.
But in principle I think it looks ok.

> @@ -1474,6 +1525,12 @@
>        {NET_IPV4_VS_NAT_ICMP_SEND, "nat_icmp_send",
>         &sysctl_ip_vs_nat_icmp_send, sizeof(int), 0644, NULL,
>         &proc_dointvec},
> +      {NET_IPV4_VS_THRESHOLD_FACTOR, "threshold_factor",
> +       &sysctl_ip_vs_threshold_factor, sizeof(int), 0644, NULL,
> +       &proc_dointvec},
> +      {NET_IPV4_VS_ENABLE_THRESHOLD_FACTOR, "enable_threshold_factor",
> +       &sysctl_ip_vs_enable_threshold_factor, sizeof(int), 0644, NULL,
> +       &proc_dointvec},
>        {NET_IPV4_VS_EXPIRE_QUIESCENT_TEMPLATE, "expire_quiescent_template",
>         &sysctl_ip_vs_expire_quiescent_template, sizeof(int), 0644, NULL,
>         &proc_dointvec},

Above hunk ignored as per subsequent mail.


-- 
Horms