The virtual server patch for kernel 2.2
Virtual Server patch for Linux 2.2.14 - Version 0.9.7 - January 19, 2000
- Just resolve a patch rejection on Configure.help for kernel 2.2.14.
Virtual Server patch for Linux 2.2 - Version 0.9.7 - December 22, 1999
- Fixed the huge timeout entry bug when destinations are unavailable
When the destination server of a packet is found unavailable,
the packet is droped silently but the entry is forgotten to be
added back to the slow timer table. It would generate the
entries of huge timeout. Thank Julian for the bug.
- Changed two IP_VS_ERR calls to IP_VS_DBG
Since the ipvsadm would report the error information when
deleting a nonexist destionation or adding an existing service,
there is no need to report error message in kernel. Thank Julian
again for the change.
- Added the sysctl_ip_always_defrag counting in ip_masq_new_vs
This is for the coming kernel patch 2.2.14, where the wrong
sysctl_ip_always_defrag handling is fixed.
Virtual Server patch for Linux 2.2 - Version 0.9.6 - December 7, 1999
- Invalidate a persistent template when its dest is unavailable
We define templates like <cip, 0, vip, vport, rip, rport>
(persistence for a single service) or <cip, 0, vip, 0, rip, 0>
(persistence for all services) are valid, and templates like
<cip, 65535, vip, 65535, rip, 65535> are invalid.
When new connection arrives and the destination of its template
is not available, invalidate the template, then create a new
template with new destination, and new connection is served.
- Fixed the wrong debugging information in ip_vs_forward
Virtual Server patch for Linux 2.2 - Version 0.9.5 - November 28, 1999
- Fixed the undefined variable bug in the IP_VS_DBG
Due to my carelessness, an undefined variable was left in the
IP_VS_DBG statement of the ip_vs_dr_xmit function. Thank
Roberto Nibali for reporting.
- Changed ICMP_PROT_UNREACH to ICMP_PORT_UNREACH in ip_vs_leave
When virtual service is available but no destination is available,
The ICMP_PORT_UNREACH icmp packet is sent to notify the client
that the service is not available. Since IPVS is in IP layer,
the TCP socket has been created, the TCP RST packet cannot be sent
for TCP services, instead that ICMP_PORT_UNREACH is sent, no
matter it talks TCP/UDP. Thank Julian.
- Added port zero support for persistent services
For some applications, there are more than one service, once a
client is assigned to a real server for the first service, requests
for other services from the same clients must be sent to the same
server. Port zero is added for this kind of persistent services.
- Fixed the bug that virtual ftp service blocks other services
When virtual ftp service is presented and packets destined for
other services not listed in ipvs table arrives, wrong masq
entries will be created and those services are blocked.
- Fixed the (null) print for unknown services in ipvsadm
Thank Julian for reporting.
Virtual Server patch for Linux 2.2 - Version 0.9.4 (ipvs-0.9.4-2.2.13.tar.gz) - November 10, 1999
- Julian fixed the fatal return bug of ip_vs_leave()
Since some code of last version ipvs is changed, ip_vs_leave
should return -2 instead of -3 if no virtual service is
- Added the IPSKB_REDIRECTED flag
The skb is set with the IPSKB_REDIRECTED and IPSKB_MASQUERADED
flag, so that the system can detect infinite loop of TUNNELED/
DROUTED packets in the ip_local_deliver caused by misconfiguration.
For example, user might configure the following:
ipvsadm -a -t VIP:http -r -i
then packets for VIP:http is tunneled to its own interface, which
will causes infinite loop.
- Fixed the bug that freed skb may be used to masq_set_state
In the original ip_fw_demasquerade function, masq_set_state was
called after ip_vs_forward, and ip_vs_forward may free the skb,
so masq_set_state may operate the already freed skb. The current
solution is just to simply do masq_set_state before ip_vs_forward.
No matter whether the packet is forwarded successfully or not,
the masq state will be updated. Although it brokes the original
sematics, it won't lead to serious errors. We look forward to
fixing it under the Rusty's netfilter framework both for correctness
and modularization. :-)
Virtual Server patch for Linux 2.2 - Version 0.9.3 (ipvs-0.9.3-2.2.13.tar.gz)
- November 7, 1999
- Adapted the patch for kernel 2.2.13
Since the ntohl and like were changed to unsigned int(because the unsigned
long int is 64-bit these days), some code in VS patch is modified for this
change, and the compiling warnings and unnecessary casting can be avoided.
- Changed the masq timeout type and the maximum persistent timeout
The type of masq timeout was changed from 'unsigned' to 'unsigned long',
in order to keep it the same as the type of timer_struct expires, then
masq timeout will be 64-bit on 64-bit platforms. The maximum persistent
timeout was changed from one year to one month, because this is enough.
Thank Julian for the suggestions.
- Added ICMP handling for IPVS
The incoming ICMP packets for virtual services will be forwarded to
the right real servers, and outgoing ICMP packets from virtual
services will be altered and send out correctly. This is important for
error and control notification between clients and servers, such as
the MTU discovery. Sorry for adding this stuff so late, because I
used to stupidly think that it is not easy to add ICMP handling for
IPVS. After spending a couple of hours reading the textbooks and the
masq code, I found that it was quite easy to add this stuff. Sorry!
- Changed the tunnel/dr/local forwarding without doing masq_skb_cow
Some orders in the ip_fw_demasquerade and ip_fw_demasq_icmp
functions, so that the masq skbuff copy-on-write can be avoided in the
tunnel/dr/local forwarding methods. This improves performance for the
tunnel/dr/local forwarding methods.
Virtual Server patch for Linux 2.2 - Version 0.9.2 (ipvs-0.9.2-2.2.12.tar.gz)
- October 17, 1999
Virtual Server patch for Linux 2.2 - Version 0.9.1 (ipvs-0.9.1-2.2.12.tar.gz)
- October 6, 1999
Added support for netmasks with persistence
The client source address is masked with this netmask for the purpose
of accessing the templates. Added a new port to the service structure
and changed ipvsadm to support this. Defaults to a 255.255.255.255,
which emulates the old behaviour. (Lars Marowsky-Bree firstname.lastname@example.org)
Fixed the bug that server status checking doesn't work for LVS/NAT,
and changed some comestics things for debugging. Thank Julian for
Virtual Server patch for Linux 2.2 - Version 0.9.0 (ipvs-0.9.0-2.2.12.tar.gz)
- September 24, 1999
Fixed the counting bug in ip_vs_unbind_masq again
Don't touch counters for templates.
Removed extra read_unlock in __ip_vs_lookup_service
Changed not to restart template timers if dest is unavailable
If the client actively send packets when the destination is unavailable,
the masq template can expire.
Added the destination trash
The destination trash is used to hold the destinations that are removed
from the service table but are still referenced by some masq entries. The
reason to add the destination trash is when the dest is temporary down
(either by administrator or by monitor program), the dest can be picked
back from the trash, the remaining connections to the dest can continue,
and the counting information of the dest is also useful for scheduling.
Added the ip_vs_leave function
It is called by ip_fw_demasquerade when the matched service is avaiable
but no destination is available for a new connection, to drop the packet.
This should be a good behavior.
Changed drasticly removing the masq to silently dropping
packets and keeping the masq in expire, when its destination is not
available. It is a good behavior, when the destination is temporary down.
The above fixes and changes won't be possible without Julian Anastasov's
fixes and suggestions. Thank Julian!
Added the handling of weight=0 in every scheduler
The destination with weight=0 is "quiesced" and will not receive any
new connection, but will still serve the existing connections. This feature
is useful to cool down the overloaded servers or to get some servers out
of service for maintenance.
Added the update_service function in every scheduler
When the destination list of a service is modified, the update_service
function is called to reset the scheduling pointer, so that the scheduling
pointer won't point to the freed destination.
Changed some IP_VS_ERR to IP_VS_DBG in the ip_vs_tunnel_xmit
Added different timeout support for persistent service
Users can specify different timeout values for their different persistent
Fixed the bug that persistent service cannot be edited
Changed the output of ip_vs_procinfo for the new version of ipvsadm.
Changes are as follows:
Virtual Server patch for Linux 2.2 - Version 0.8.3 (ipvs-0.8.3-2.2.12.tar.gz)
- September 8, 1999
Added the hash table for virtual services. It will greatly speedup the
lookup of services.
Added new persistent service handling
The template is looked up only if the service that the packet is destined
to is persistent, so it is more efficient. For all the persistent services
except FTP, we create a masq template like <daddr, 0, maddr, mport,
saddr, sport>. So, the persistent services won't disturb each other, and
it fixes the wrong accounting bug fordifferent persistent services.
FTP is a very complicated network protocol, and it uses control connection
and data connections. For active FTP, FTP server initilizes data connection
to the client, its source port is often 20. For passive FTP, FTP server
tells the clients the port that it passively listens to, and the client
issues the data connection. In the tunneling or direct routing mode, the
load balancer is on the client-to-server half of connection, the port number
is unknown to the load balancer. So, a template masq like <daddr, 0,
maddr, 0, saddr, 0> is created for persistent FTP service.
Changed the destination lists to the d-linked lists
Changed the scheduler list to the d-linked list
Added back the least connection scheduling module.
Fixed the missing unlock bug in ip_vs_schedule.
If no virtual service is found in ip_vs_schedule, this missing unlock
bug will make system crash.
Fixed the uncounting bug in creating masqs by template.
Missing to counter connections when creating masqs by template.
Don't touch counters in ip_vs_unbind_masq for templates
Thanks must go to Julian Anastasov for the three fixes above.
Changed some condition orders for a bit performance
Changed some cosmetic things for debugging
The virtual server patch for kernel 2.0
The latest archive is the virtual server patch version 0.9 vs-0.9.tar.gz.
The ChangeLog is as follows:
The virtual server patch version 0.8 vs-0.8.tar.gz
was changed as follows:
Add Virtual Server via Direct Routing
This approach was first implemented in IBM's NetDispatcher. All real
servers have their loopback alias interface configured with the virtual
IP address, the load balancer and the real servers must have one of their
interfaces physically linked by a HUB/Switch. When the packets destined
for the virtual IP address arrives, the load balnacer directly route them
to the real servers, the real servers processing the requests and return
the reply packets directly to the clients. Compared to the virtual server
via IP tunneling approach, this approach doesn't have tunneling overhead(In
fact, this overhead is minimal in most situations), but requires that one
of the load balancer's interfaces and the real servers' interfaces must
be in physical segment.
Add more satistics information
The active connection counter and the total connection counter of each
real server were added for all the scheduling algorithms.
Add resetting(zeroing) counters
The total connection counters of all real servers can be reset to zero.
Change some statements in the masq_expire function and the ip_fw_demasquerade
function, so that ip_masq_free_ports won't become abnormal number after
the masquerading entries for virtual server are released.
Fix the bug of "double unlock on device queue"
Remove the unnecessary function call of skb_device_unlock(skb) in the
ip_pfvs_encapsule function, which sometimes cause "kernel: double unlock
on device queue" waring in the virtual server via tunneling.
Many functions of virtual server patch was splitted into the linux/net/ipv4/ip_masq_pfvs.c.
Upgrade ippfvsadm 1.0.2 to ippfvsadm 1.0.3
Zeroing counters is supported in the new version. The ippfvsadm 1.0.3
can be used for all kernel with different virtual server options without
rebuilding the program.
Add virtual FTP server support
The original ippfvs via IP tunneling could not be used to build a virtual
FTP server, because the real servers could not establish data connections
to clients. The code was added to parse the port number in the ftp control
data and create the corresponding masquerading entry for the coming data
Although the original ippfvs via NAT could be used to build a virtual
server, the data connection was established in
Real Server port:20 ----> ippfvs: allocate a free masq port ----->
the client port
It is not elegent but time-consuming. Now it was changed as follows:
Real Server port:20 ----> ippfvs port: 20 ----> the client port
Change the port checking order in the ip_fw_demasquerade()
If the size of masquerade hash table is well chosen, checking a masquerading
entry in the hash table will just require one
hit. It is much efficient than checking port for virtual services,
and there are at least 3 incoming packets for each connection, which require
port checking. So, it is efficient to check the masquerading hash table
first and then check
port for virtual services.
Remove a useless statement in the ip_masq_new_pfvs()
The useless statement in the ip_masq_new_pfvs function is ip_masq_free_ports[masq_proto_num(proto)]++;
which may disturb system.
Change the header printing of the ip_pfvs_procinfo()
Last updated: 2000/1/5
Created on: 1998/5/28