.\".\"     ipvsadm(8) manual page.\".\"	$Id: ipvsadm.8,v 1.23 2005/12/10 16:00:07 wensong Exp $.\".\"     Authors: Mike Wangsmo <wanger@redhat.com>.\"              Wensong Zhang <wensong@linux-vs.org>.\".\"     Changes:.\"       Horms            :  Updated to reflect recent change of ipvsadm.\"                        :  Style guidance taken from ipchains(8).\"                           where appropriate..\"       Wensong Zhang    :  Added a short note about the defense strategies.\"       Horms            :  Tidy up some of the description and the.\"                           grammar in the -f and sysctl sections.\"       Wensong Zhang    :  --set option description taken from ipchains(8).\".\"     This program is free software; you can redistribute it and/or modify.\"     it under the terms of the GNU General Public License as published by.\"     the Free Software Foundation; either version 2 of the License, or.\"     (at your option) any later version..\".\"     This program is distributed in the hope that it will be useful,.\"     but WITHOUT ANY WARRANTY; without even the implied warranty of.\"     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the.\"     GNU General Public License for more details..\".\"     You should have received a copy of the GNU General Public License.\"     along with this program; if not, write to the Free Software.\"     Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA..\".\".TH IPVSADM 8 "5th July 2003" "LVS Administration" "Linux Administrator's Guide".UC 4.SH NAMEipvsadm \- Linux Virtual Server administration.SH SYNOPSIS.B ipvsadm -A|E -t|u|f \fIservice-address\fP [-s \fIscheduler\fP].ti 15.B [-p [\fItimeout\fP]] [-M \fInetmask\fP].br.B ipvsadm -D -t|u|f \fIservice-address\fP.br.B ipvsadm -C.br.B ipvsadm -R.br.B ipvsadm -S [-n].br.B ipvsadm -a|e -t|u|f \fIservice-address\fP -r \fIserver-address\fP.ti 15.B [-g|i|m] [-w \fIweight\fP] [-x \fIupper\fP] [-y \fIlower\fP].br.B ipvsadm -d -t|u|f \fIservice-address\fP -r \fIserver-address\fP.br.B ipvsadm -L|l [options].br.B ipvsadm -Z [-t|u|f \fIservice-address\fP].br.B ipvsadm --set \fItcp\fP \fItcpfin\fP \fIudp\fP.br.B ipvsadm --start-daemon \fIstate\fP [--mcast-interface \fIinterface\fP].ti 15.B [--syncid \fIsyncid\fP].br.B ipvsadm --stop-daemon \fIstate\fP.br.B ipvsadm -h.SH DESCRIPTION\fBIpvsadm\fR(8) is used to set up, maintain or inspect the virtualserver table in the Linux kernel. The Linux Virtual Server can be usedto build scalable network services based on a cluster of two or morenodes. The active node of the cluster redirects service requests to acollection of server hosts that will actually perform theservices. Supported features include two protocols (TCP and UDP),three packet-forwarding methods (NAT, tunneling, and direct routing),and eight load balancing algorithms (round robin, weighted roundrobin, least-connection, weighted least-connection, locality-basedleast-connection, locality-based least-connection with replication,destination-hashing, and source-hashing)..PPThe command has two basic formats for execution:.TP.B ipvsadm \fICOMMAND\fP [\fIprotocol\fP] \fIservice-address\fP.ti 15.B [\fIscheduling-method\fP] [\fIpersistence options\fP].TP.B ipvsadm \fIcommand\fP [\fIprotocol\fP] \fIservice-address\fP.ti 15.B \fIserver-address\fP [\fIpacket-forwarding-method\fP].ti 15.B [\fIweight options\fP].PPThe first format manipulates a virtual service and the algorithm forassigning service requests to real servers. Optionally, a persistenttimeout and network mask for the granularity of a persistent servicemay be specified. The second format manipulates a real server that isassociated with an existing virtual service. When specifying a realserver, the packet-forwarding method and the weight of the realserver, relative to other real servers for the virtual service, may bespecified, otherwise defaults will be used..SS COMMANDS\fBipvsadm\fR(8) recognises the commands described below. Upper-casecommands maintain virtual services. Lower-case commands maintain realservers that are associated with a virtual service..TP.B -A, --add-serviceAdd a virtual service. A service address is uniquely defined by atriplet: IP address, port number, and protocol. Alternatively, avirtual service may be defined by a firewall-mark..TP.B -E, --edit-serviceEdit a virtual service..TP.B -D, --delete-serviceDelete a virtual service, along with any associated real servers..TP.B -C, --clearClear the virtual server table..TP.B -R, --restoreRestore Linux Virtual Server rules from stdin. Each line read fromstdin will be treated as the command line options to a separateinvocation of \fIipvsadm\fP. Lines read from stdin can optionallybegin with "ipvsadm".  This option is useful to avoid executing alarge number or \fIipvsadm\fP  commands when constructing an extensiverouting table..TP.B -S, --saveDump the Linux Virtual Server rules to stdout in a format that can beread by -R|--restore..TP.B -a, --add-serverAdd a real server to a virtual service..TP.B -e, --edit-serverEdit a real server in a virtual service..TP.B -d, --delete-serverRemove a real server from a virtual service..TP.B -L, -l, --listList the virtual server table if no argument is specified. If a\fIservice-address\fP is selected, list this service only. If the\fI-c\fP option is selected, then display the connection table. Theexact output is affected by the other arguments given..TP.B -Z, --zeroZero the packet, byte and rate counters in a service or all services..TP.B --set \fItcp\fP \fItcpfin\fP \fIudp\fPChange the timeout values used for IPVS connections. This commandalways takes 3 parameters,  representing  the  timeout  values (inseconds) for TCP sessions, TCP sessions after receiving a  FINpacket, and  UDP  packets, respectively.  A timeout value 0 means thatthe current timeout value of the  corresponding  entry  is preserved..TP.B --start-daemon \fIstate\fPStart the connection synchronization daemon. The \fIstate\fP is toindicate that the daemon is started as \fImaster\fP or \fIbackup\fP. Theconnection synchronization daemon is implemented inside the Linuxkernel. The master daemon running at the primary load balancermulticasts changes of connections periodically, and the backup daemonrunning at the backup load balancers receives multicast message andcreates corresponding connections. Then, in case the primary loadbalancer fails, a backup load balancer will takeover, and it has stateof almost all connections, so that almost all established connectionscan continue to access the service..TP.B --stop-daemonStop the connection synchronization daemon..TP\fB-h, --help\fRDisplay a description of the command syntax..SS PARAMETERSThe commands above accept or require zero or more of the followingparameters..TP.B -t, --tcp-service \fIservice-address\fPUse TCP service. The \fIservice-address\fP is of the form\fIhost[:port]\fP.  \fIHost\fP may be one of a plain IP address or ahostname. \fIPort\fP may be either a plain port number or the servicename of port. The \fIPort\fP may be omitted, in which case zero willbe used. A \fIPort\fP  of zero is only valid if the service ispersistent as the -p|--persistent option, in which case it is awild-card port, that is connections will be accepted to any port..TP.B -u, --udp-service \fIservice-address\fPUse UDP service. See the -t|--tcp-service for the description of  the\fIservice-address\fP..TP.B -f, --fwmark-service \fIinteger\fPUse a firewall-mark, an integer value greater than zero, to denote avirtual service instead of an address, port and protocol (UDP orTCP). The marking of packets with a firewall-mark is configured usingthe -m|--mark option to \fBiptables\fR(8). It can be used to build avirtual service assoicated with the same real servers, coveringmultiple IP address, port and protocol tripplets..spUsing firewall-mark virtual services provides a convenient method ofgrouping together different IP addresses, ports and protocols into asingle virtual service. This is useful for both simplifyingconfiguration if a large number of virtual services are required andgrouping persistence across what would otherwise be multiple virtualservices..TP.B -s, --scheduler \fIscheduling-method\fP\fIscheduling-method\fP  Algorithm for allocating TCP connections andUDP datagrams to real servers.  Scheduling algorithms are implementedas kernel modules. Ten are shipped with the Linux Virtual Server:.sp\fBrr\fR - Robin Robin: distributes jobs equally amongst the availablereal servers..sp\fBwrr\fR - Weighted Round Robin: assigns jobs to real serversproportionally to there real servers' weight. Servers with higherweights receive new jobs first and get more jobs than servers withlower weights. Servers with equal weights get an equal distribution ofnew jobs..sp\fBlc\fR - Least-Connection: assigns more jobs to real servers withfewer active jobs..sp\fBwlc\fR - Weighted Least-Connection: assigns more jobs to serverswith fewer jobs and relative to the real servers' weight (Ci/Wi). Thisis the default..sp\fBlblc\fR - Locality-Based Least-Connection: assigns jobs destinedfor the same IP address to the same server if the server is notoverloaded and available; otherwise assign jobs to servers with fewerjobs, and keep it for future assignment..sp\fBlblcr\fR - Locality-Based Least-Connection with Replication:assigns jobs destined for the same IP address to the least-connectionnode in the server set for the IP address. If all the node in theserver set are over loaded, it picks up a node with fewer jobs in thecluster and adds it in the sever set for the target. If the server sethas not been modified for the specified time, the most loaded node isremoved from the server set, in order to avoid high degree ofreplication..sp\fBdh\fR - Destination Hashing: assigns jobs to servers throughlooking up a statically assigned hash table by their destination IPaddresses..sp\fBsh\fR - Source Hashing: assigns jobs to servers through looking upa statically assigned hash table by their source IP addresses..sp\fBsed\fR - Shortest Expected Delay: assigns an incoming job to theserver with the shortest expected delay. The expected delay that thejob will experience is (Ci + 1) / Ui if  sent to the ith server, inwhich Ci is the number of jobs on the the ith server and Ui is thefixed service rate (weight) of the ith server..sp\fBnq\fR - Never Queue: assigns an incoming job to an idle server ifthere is, instead of waiting for a fast one; if all the servers arebusy, it adopts the Shortest Expected Delay policy to assign the job..TP.B -p, --persistent [\fItimeout\fP]Specify that a virtual service is persistent. If this option isspecified, multiple requests from a client are redirected to the samereal server selected for the first request.  Optionally, the\fItimeout\fP of persistent sessions may be specified given inseconds, otherwise the default of 300 seconds will be used. Thisoption may be used in conjunction with protocols such as SSL or FTPwhere it is important that clients consistently connect with the samereal server..sp\fBNote:\fR If a virtual service is to handle FTP connections thenpersistence must be set for the virtual service if Direct Routing orTunnelling is used as the forwarding mechanism. If Masquerading isused in conjunction with an FTP service than persistence is notnecessary, but the ip_vs_ftp kernel module must be used.  This modulemay be manually inserted into the kernel using insmod(8)..TP.B -M, --netmask \fInetmask\fPSpecify the granularity with which clients are grouped for persistentvirtual services.  The source address of the request is masked withthis netmask to direct all clients from a network to the same realserver. The default is \fI255.255.255.255\fP, that is, the persistencegranularity is per client host. Less specific netmasks may be used to