Hubbry Logo
IP Virtual ServerIP Virtual ServerMain
Open search
IP Virtual Server
Community hub
IP Virtual Server
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
IP Virtual Server
IP Virtual Server
IP Virtual Server
View on Wikipedia
from Wikipedia
ipvsadm
Stable release
1.3.1 / December 24, 2019; 6 years ago (2019-12-24)
Repositorygit.kernel.org/pub/scm/utils/kernel/ipvsadm/ipvsadm.git/
Operating systemLinux kernel
PlatformNetfilter
LicenseGNU General Public License
Websitewww.linuxvirtualserver.org/software/ipvs.html

IPVS (IP Virtual Server) implements transport-layer load balancing, usually called Layer 4 LAN switching, as part of the Linux kernel. It's configured via the user-space utility ipvsadm(8) tool.

IPVS is incorporated into the Linux Virtual Server (LVS), where it runs on a host and acts as a load balancer in front of a cluster of real servers. IPVS can direct requests for TCP- and UDP-based services to the real servers, and make services of the real servers appear as virtual services on a single IP address. IPVS is built on top of Netfilter.[1]

IPVS is merged into versions 2.4.x and newer of the Linux kernel mainline.[1]

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

IP Virtual Server

View on Grokipedia
from Grokipedia
IP Virtual Server (IPVS) is a software module integrated into the that provides transport-layer (Layer-4) load balancing, allowing a single host to distribute incoming TCP and UDP network requests across a cluster of backend real servers while presenting them as a unified virtual service accessible via a single . Developed as the core component of the (LVS) project, IPVS enables the construction of highly scalable and available server clusters for applications such as , , FTP, media streaming, and VoIP services. The LVS project, which encompasses IPVS, was initiated in May 1998 by Wensong Zhang as an open-source effort under the GNU General Public License to build high-performance, highly available network services through . IPVS was first integrated into the mainline with version 2.6.10 in December 2004, following earlier stable releases such as 1.0.12 for kernel 2.4.28 and 1.0.8 for kernel 2.2.19. Key milestones include the addition of support in kernel 2.6.28-rc3 in November 2008, contributed by developers from , and enhancements like SCTP protocol support and one-packet scheduling in ipvsadm version 1.26 released in February 2011. IPVS continues to be actively maintained in modern and is used for load balancing in container orchestration platforms such as (since version 1.11 in 2018). IPVS operates by intercepting packets via the Netfilter framework in the Linux kernel and applying one of several built-in scheduling algorithms to route connections to the appropriate real server, supporting methods like direct routing, IP tunneling, and Network Address Translation (NAT) for flexible cluster topologies. It includes ten deterministic and dynamic scheduling algorithms to optimize load distribution based on factors such as server capacity, connection count, and client locality, including Round-Robin Scheduling (sequential distribution across servers), Weighted Round-Robin Scheduling (proportional allocation by server weight), Least-Connection Scheduling (to the server with fewest active connections), Weighted Least-Connection Scheduling (weighted variant), Locality-Based Least-Connection Scheduling (for cache clusters prioritizing local servers), Locality-Based Least-Connection with Replication Scheduling (with server set maintenance), Destination Hashing Scheduling (static hash on destination IP), Source Hashing Scheduling (static hash on source IP), Shortest Expected Delay Scheduling (minimizing predicted delay), and Never Queue Scheduling (prioritizing idle servers). Configuration and management are handled via the user-space utility ipvsadm, which allows administrators to define virtual services, add real servers, and select algorithms.

Overview

Definition and Purpose

IP Virtual Server (IPVS) is a module that implements transport-layer (Layer 4) load balancing, also known as Layer-4 switching. It functions as a load balancer, directing incoming network connections to a cluster of real servers while presenting the cluster's services as a single virtual server accessible via one and port. The primary purpose of IPVS is to enable the construction of highly scalable and available virtual servers by grouping multiple physical real servers behind a shared , thereby distributing traffic loads to prevent overload on any single machine and eliminate single points of failure. This clustering approach allows the system to manage high volumes of traffic efficiently, with the virtual server acting as the entry point for client requests using transport protocols such as TCP and UDP. IPVS performs Layer 4 switching by examining only the IP addresses and numbers in packet headers to route , without delving into the or application-layer content, in contrast to Layer 7 proxies that parse higher-level data for more granular decisions. This packet-header-only processing minimizes overhead and supports rapid forwarding. Due to its direct integration within the and avoidance of user-space processing, IPVS delivers low-latency operation and high throughput, with configurations achieving up to 9.6 Gbps in throughput and the capacity to manage over 8 million simultaneous connections on a 1 GB memory system. These attributes make it ideal for high- scenarios requiring efficient, kernel-level distribution of connections across server pools.

Historical Development

The IP Virtual Server (IPVS) originated as a core component of the (LVS) project, initiated by Wensong Zhang in May 1998 to enable scalable clustering of network services amid rising demands. This open-source effort addressed the need for high-availability load balancing in environments, building on kernel-level transport-layer switching to distribute traffic across multiple servers without hardware dependencies. Early development focused on integrating IPVS as a kernel patch, with initial patches for the kernel 2.0 series released in 1999. By 2000, patches for kernel 2.2 series were available, enhancing stability for experimental deployments, before full mainline integration in kernel 2.4.28 in 2004, which marked a pivotal stabilization and broader adoption. These steps evolved IPVS from rudimentary round-robin scheduling to support more sophisticated algorithms, driven by the explosive growth of web traffic in the late 1990s that strained single-server architectures. IPv6 enhancements followed in kernel 2.6.28 in 2008, enabling load balancing over next-generation networks. Ongoing maintenance has occurred under the Netfilter framework, with key contributions from developers like Julian Anastasov for bug fixes and optimizations. As of 2025, IPVS remains actively maintained by the LVS community and is integrated into major distributions such as (RHEL) and , supporting modern high-availability clustering needs.

Architecture

Core Components

The IP Virtual Server (IPVS) relies on a set of kernel modules as its primary building blocks to enable transport-layer load balancing. The core module, ip_vs.ko, forms the foundation by managing virtual services, real servers, and connection handling directly within the . This module intercepts incoming packets targeted at virtual IP addresses using Netfilter hooks, specifically at the PREROUTING and LOCAL_IN stages, to perform initial load balancing decisions before forwarding them to appropriate real servers. Scheduler modules extend the core functionality by implementing specific algorithms for traffic distribution, loaded as separate kernel modules such as ip_vs_rr.ko for . Each scheduler module registers with the IPVS core via a defined interface, allowing dynamic selection and modular extension without recompiling the kernel. This design supports high-performance operation by keeping scheduling logic isolated yet tightly integrated with the core packet processing path. At the heart of IPVS's efficiency are its key data structures, optimized for fast lookups and state management. Virtual service entries are stored in a , keyed by the , , and protocol (TCP, UDP, or SCTP), enabling O(1) average-time complexity for service resolution. The real server table maintains entries for backend servers, including weights for load distribution, connection limits, and states such as active or inactive, linked via doubly-linked lists to their parent virtual services. The connection table tracks active flows using another with to handle collisions, storing details like client and server addresses, protocol state, and timeouts to ensure persistent handling of established connections. These structures, sized dynamically (e.g., connection often defaulting to 4096 buckets), support for high-throughput environments by minimizing memory overhead and enabling rapid packet classification. The control plane for IPVS is exposed through the filesystem at /proc/net/ip_vs, providing runtime inspection of virtual services, real servers, and statistics without requiring user-space intervention. This interface allows administrators to view table contents, connection counts, and metrics, facilitating and monitoring in production deployments. Additionally, separate loadable modules for schedulers enhance modularity, as each can be inserted or removed via [modprobe](/page/Modprobe) to adapt to varying workload needs. For high-availability setups, IPVS includes a synchronization protocol implemented in the kernel to replicate connection states between an active director and backup nodes. This multicast-based protocol transmits delta updates of new or changed connections, ensuring seamless by maintaining the connection table across multiple load balancers in active-passive or active-active configurations. The sync mechanism operates at the kernel level, triggered on connection establishment or state changes, with configurable thresholds to balance overhead and reliability. Security in IPVS is bolstered by its deep integration with Netfilter and , allowing virtual services to be protected through firewall rules applied at the same points used for packet . Administrators can chain IPVS rules with iptables filters to enforce access controls, , or NAT policies on virtual IPs, ensuring that load-balanced traffic adheres to broader policies without compromising performance.

Packet Flow and Processing

IP Virtual Server (IPVS) intercepts incoming packets destined for virtual IP addresses through integration with the kernel's netfilter framework, specifically registering hooks at the NF_INET_PRE_ROUTING and NF_INET_LOCAL_IN points to capture packets early in the network stack. This allows IPVS to process traffic transparently without altering the standard path for non-virtual service packets. Upon interception, the kernel examines the packet's destination IP and port to determine if it matches a configured virtual service. The core processing begins with a lookup in the virtual service , which stores defined virtual IPs, ports, protocols, and associated real servers. If a match is found and the packet initiates a new connection, IPVS invokes a scheduling to select an appropriate real server from the pool, considering factors like server weight and load. The packet's headers are then modified—rewriting the destination IP and to point to the chosen real server, and potentially the source IP and depending on the forwarding method—before forwarding the packet either directly or via encapsulation to the real server. For response packets from real servers, a similar process occurs in the reverse direction, ensuring symmetric back to the client. This header rewriting maintains connection transparency while distributing load. Connection handling relies on a dedicated connection hash table that tracks active sessions, indexed by a of client IP, , protocol, virtual IP, and virtual , with each entry consuming approximately 128 bytes and supporting millions of concurrent connections. New connections are inserted into this table post-scheduling, while subsequent packets for existing connections are quickly routed based on the stored mapping, minimizing overhead. Timeouts are enforced using per-connection timers, where each connection entry has its own set to expire after the configured timeout period (e.g., defaults like 900 seconds for TCP), automatically removing stale connections to reclaim resources and prevent table exhaustion. This mechanism ensures persistent routing for the duration of a session. Performance optimizations stem from IPVS's full implementation in kernel space, enabling direct packet manipulation without user-space context switches or copies, which significantly reduces latency compared to user-space proxies. The system supports both and configurations for the director node, allowing scalable setups in clustered environments. Error handling involves dropping packets that fail validation, such as those without matching virtual services or malformed headers, and integrating with external monitors to detect real server failures, marking inactive servers to exclude them from scheduling and redistribute traffic accordingly.

Load Balancing Mechanisms

Scheduling Algorithms

IP Virtual Server (IPVS) employs a variety of scheduling algorithms to distribute incoming connections across multiple real servers, ensuring efficient load balancing at the network transport layer. These algorithms are implemented within the Linux kernel and can be selected on a per-virtual-service basis to match specific workload requirements, such as equal distribution, capacity-based allocation, or session persistence. The choice of algorithm influences how connections are assigned, with deterministic methods providing predictable mapping and dynamic methods adapting to real-time server states.

Deterministic Algorithms

Deterministic algorithms in IPVS rely on static rules or hashing to assign connections without considering current server loads, making them suitable for scenarios where predictability is prioritized over dynamic adaptation. The Round-Robin (rr) algorithm cycles through available real servers in a sequential manner, distributing connections equally regardless of server capacity; it is ideal for homogeneous server clusters with uniform . The Weighted Round-Robin (wrr) extends this by assigning connections proportionally to each server's predefined weight, where higher weights direct more traffic to capable servers; weights are integers from 0 to 65535, with a default of 1, and a weight of 0 renders a server quiescent, preventing new connections. Destination Hashing (dh) uses a hash of the destination IP address (and port, if applicable) to map connections to a specific real server via a static hash table, ensuring consistent routing for traffic destined to the same endpoint; this is useful in scenarios requiring affinity to particular destinations, such as replicated services. Similarly, Source Hashing (sh) hashes the client (source) IP address to select a server, providing session stickiness by directing subsequent requests from the same client to the same server; it supports persistence templates with a configurable timeout (default 300 seconds) and netmask granularity to group clients, enhancing reliability for stateful applications like web sessions.

Dynamic Algorithms

Dynamic algorithms monitor real-time server metrics, such as active connections, to make informed decisions, making them appropriate for heterogeneous environments or varying loads. The Least Connection (lc) algorithm selects the real server with the fewest active connections for each new request, promoting even distribution as servers complete tasks; it assumes longer-lived connections indicate higher load. Weighted Least Connection (wlc), the default algorithm, refines this by factoring in server weights, assigning connections to the server where the ratio of active connections to weight (Ci/Wi) is lowest; this accommodates servers of differing capacities, such as in mixed hardware setups. Locality-Based Least Connection (lblc) directs connections from the same client IP to the least-loaded local server, falling back to the global least-connected server if locals are overloaded; it optimizes for geographic or network locality in distributed systems, reducing latency for regionally accessed content. Locality-Based Least Connection with Replication (lblcr) builds on lblc by supporting replicated server sets, assigning to the least-connected node in the set and dynamically adding or removing nodes based on load thresholds and timeouts; this is effective for content delivery networks with mirrored data across nodes. Shortest Expected Delay (sed) estimates the response time for each server using the (Ci + 1) / Ui—where Ci is active connections and Ui is —and selects the one with the minimal value; it prioritizes low-latency assignments in environments with variable processing times. Never Queue (nq) first attempts to route to an idle server (no active connections), defaulting to sed if none are available; this minimizes queuing delays in high-throughput scenarios, such as real-time applications.

Configuration and Performance Considerations

Algorithms are configured per virtual service using tools like ipvsadm, with weights reflecting relative server capacities to fine-tune distribution. can be enabled across algorithms (except pure hashing ones, which inherently provide it) via templates that maintain client affinity for a specified duration, using IP netmasks to define persistence granularity. All IPVS scheduling algorithms achieve O(1) through kernel-level hash tables for lookups and updates, enabling scalable performance even with thousands of connections; dynamic algorithms maintain real-time connection counts via kernel hooks, ensuring responsive adaptation without significant overhead.

Forwarding Methods

IP Virtual Server (IPVS) employs three primary packet forwarding methods to route traffic from the director (load balancer) to the selected real servers after scheduling: (NAT), IP Tunneling (TUN), and Direct Routing (DR). These methods determine how incoming packets destined for the virtual IP (VIP) are delivered to real servers and how responses are returned to clients, balancing factors such as , performance, and scalability. VS/NAT (Network Address Translation) operates by rewriting the destination and port of incoming packets to match those of a selected real server, while the source remains the client's IP. On the return path, the director reverses this process, rewriting the source IP of responses from the real server's private IP back to the VIP. This method is suitable for scenarios where real servers are on the same (LAN) as the director and use private IP addresses. Its advantages include simplicity of implementation, compatibility with any operating system supporting TCP/IP, and the ability to hide real server IPs from clients for added . However, it introduces a bottleneck at the director, as all return traffic must pass through it, limiting scalability to approximately 10-20 real servers and throughput to around 8.93 MB/s due to the overhead of packet rewriting (about 60 µs delay per 536-byte packet). VS/TUN (IP Tunneling) encapsulates the original client packet within an IP-in-IP (IPIP) tunnel packet, with the outer header using the director's IP as source and the real server's IP as destination. The real server decapsulates the packet, processes the request, and sends the response directly back to the client using its own , bypassing the director. This approach is ideal for distributed real servers across wide area networks (WANs) or the , enabling high with over 100 servers and throughput exceeding 1 Gbps, as the director handles only outbound traffic. It requires real servers to support IP tunneling protocols and enable IP forwarding. A key disadvantage is the dependency on tunneling-capable operating systems, primarily in early implementations. VS/DR (Direct Routing) modifies only the MAC address of the incoming packet at layer 2, rewriting the destination MAC to that of the selected real server while keeping the IP headers intact (VIP as destination). The real server receives the packet directly via the local network, processes it, and responds to the client using the VIP as its source IP, achieved through where the real server announces itself as owning the VIP. No encapsulation or IP rewriting occurs, resulting in the lowest overhead and high performance for LAN environments with many servers. Real servers must be on the same physical as the director and configured with a alias for the VIP to avoid ARP conflicts. This method demands non-ARP announcement from real servers and careful handling of ARP responses to prevent disruptions. The forwarding method is configured per virtual service using tools like ipvsadm, allowing hybrid setups where different services use different methods for optimized . For , DR and TUN excel in high-throughput scenarios by offloading return traffic from the director, whereas NAT prioritizes simplicity in small, private clusters. Limitations include varying support across methods—general IPVS integration began in 2.6.28, with NAT leveraging kernel NAT capabilities, TUN using IPIP encapsulation, and DR functioning at layer 2—but full compatibility depends on kernel version and configuration. In DR and TUN, supporting multiple directors requires coordination to share the VIP, often via MAC addresses to direct ARP traffic appropriately and avoid loops or conflicts.
MethodPacket ModificationReturn PathScalabilityNetwork SuitabilityKey Requirement
NATIP/port rewriteVia directorLow (10-20 servers)Same LAN, private IPsTCP/IP support
TUNIPIP encapsulationDirect to clientHigh (>100 servers)LAN/WANTunneling & IP forwarding
DRMAC rewriteDirect to clientHigh (many servers)Same LAN VIP, ARP config

Implementation in Linux

Kernel Integration

IP Virtual Server (IPVS) is integrated into the Linux kernel as a load balancing subsystem through the CONFIG_IP_VS kernel configuration option, which enables support for IP virtual server functionality and is defined in the net/netfilter/ipvs/Kconfig file. This option is tristate, allowing IPVS to be built as a loadable module (m) or compiled directly into the kernel (y), and it depends on core networking features including CONFIG_NET and CONFIG_INET, as well as CONFIG_NETFILTER for leveraging the Netfilter framework in packet filtering and manipulation. IPVS has been available in Linux kernel versions since 2.4, where it was included as a stable module in distributions and later kernels, with enhanced stability and mainline integration achieved in the 2.6 series starting from kernel 2.6.0 released in December 2003. At the integration level, IPVS hooks into the kernel's networking stack via Netfilter callbacks, specifically intercepting packets at points such as NF_INET_PRE_ROUTING for incoming traffic, NF_INET_LOCAL_IN for locally destined packets, and NF_INET_POST_ROUTING for outgoing traffic, supporting both IPv4 and protocols. Packet processing relies on the sk_buff (socket buffer) structure, which IPVS modifies to rewrite headers and redirect flows to backend servers without copying data unnecessarily, ensuring high performance in the kernel space. For stateful operation, IPVS maintains its own connection table but synchronizes with the Netfilter connection tracking (conntrack) subsystem to handle NAT and related state information consistently across the network stack. The version history of IPVS in the kernel reflects ongoing enhancements for and feature support; it was merged into the mainline kernel during the 2.6 development cycle, with version 1.1.8 included in kernel 2.6.0, and subsequent updates in the 2.6 series, such as version 1.2.1 in kernel 2.6.10, introduced improvements in connection handling and IPv6 compatibility by kernel 2.6.28. In modern kernels up to version 6.17 as of November 2025, IPVS remains a core component with optimizations for multi-core systems and extended protocol support. Enterprise Linux distributions like (RHEL) often include IPVS as loadable modules in their kernel builds, with compile-time options such as CONFIG_IP_VS_PROTO_SCTP to add support for the (SCTP). Debugging and tuning of IPVS occur through kernel sysctl parameters located under /proc/sys/net/ipv4/vs/, which provide fine-grained control over behavior such as connection timeouts (e.g., net.ipv4.vs.timeout_tcp_fin_wait=60 for TCP FIN_WAIT state) and synchronization thresholds for director (e.g., net.ipv4.vs.sync_threshold). These parameters allow administrators to adjust memory usage, drop rates for overload protection, and expiration policies for TCP, UDP, and other connections, ensuring reliable operation in production environments. User-space management interfaces, such as sockets, facilitate communication with these kernel components for dynamic configuration.

User-Space Management

The primary tool for user-space management of IP Virtual Server (IPVS) is ipvsadm, a command-line utility provided by the utilities package that enables administrators to configure, maintain, and inspect the virtual server table in the kernel. It supports operations such as adding or removing virtual and real servers, assigning weights to real servers for load distribution, setting scheduling algorithms, and listing current configurations with options like -L for table dumps or -S for save/restore. For instance, the command ipvsadm -A -t 192.168.1.100:80 -s rr adds a TCP virtual server at the specified IP and using , while ipvsadm -a -t 192.168.1.100:80 -r 192.168.1.10:80 -m attaches a real server in masquerading mode. As a privileged operation interfacing directly with kernel sockets via setsockopt, ipvsadm requires privileges to execute, ensuring controlled access to the IPVS subsystem. For programmatic control, the libipvs library offers a C-based integrated within the ipvsadm source, allowing applications to manipulate IPVS tables through low-level socket operations without invoking the command-line tool. This library handles encoding and decoding of IPVS structures for actions like adding services or retrieving stats, facilitating integration into custom management scripts or higher-level tools. Runtime inspection and statistics are accessible via the /proc/net/ip_vs pseudo-file, which reports the IPVS version (e.g., "IP Virtual Server version 1.2.1 (size=4096)"), size, timeout values, and connection insertion counters, providing a direct view into the kernel's load balancing state. Complementing this, /proc/net/ip_vs_stats exposes detailed per-protocol and global metrics, such as total connections handled, packets processed, and bytes transferred, enabling real-time diagnostics without additional overhead. Monitoring capabilities are enhanced through ipvsadm's built-in options, including --stats and --rate flags, which output aggregated data like active connections, in-packet rates (CPS), and CPU load per virtual service for performance tuning. These metrics integrate seamlessly with external systems; for example, the Prometheus Node Exporter includes an enabled-by-default IPVS collector that scrapes /proc/net/ip_vs and /proc/net/ip_vs_stats to expose kernel load balancing metrics in a format suitable for time-series analysis and alerting. For high availability extensions, tools like Keepalived leverage IPVS as the underlying load balancer, using VRRP for director failover and synchronizing virtual server tables across nodes to maintain seamless operation during failures. Similarly, HAProxy can incorporate IPVS in Layer 4 configurations, such as in HAProxy ALOHA appliances, where IPVS handles transport-layer distribution as a backend to HAProxy's higher-layer proxying for hybrid balancing setups.

Configuration and Management

Basic Setup with ipvsadm

To configure IP Virtual Server (IPVS) using ipvsadm, the kernel must support IPVS, typically through the IP_VS configuration option enabled during compilation or as loadable modules. Install the ipvsadm package if not present, and load necessary kernel modules such as ip_vs for core functionality and ip_vs_rr for round-robin scheduling. Run modprobe ip_vs and modprobe ip_vs_rr to activate them. Enable IP forwarding on the director node to allow packet routing between virtual and real servers, using sysctl -w net.ipv4.ip_forward=1. This persists across reboots by adding net.ipv4.ip_forward=1 to /etc/sysctl.conf and running sysctl -p. Assign the virtual IP (VIP) to the director's network interface, for example, ip addr add <VIP>/32 dev eth0, to route incoming traffic. Add a virtual server with ipvsadm -A -t <VIP>:<port> -s <scheduler>, where -t specifies TCP, <VIP>:<port> defines the service endpoint, and -s selects the scheduler (e.g., rr for round-robin). For persistent connections, include -p <timeout> (in seconds, default 300). Then, add real servers with ipvsadm -a -t <VIP>:<port> -r <realIP>:<port> [-g|-i|-m] [-w <weight>], where -g enables direct routing (DR), -i IP tunneling, -m NAT masquerading, and -w sets the weight (default 1). For verification, use ipvsadm -L -n to list virtual servers and their associated real servers in numeric format. Test connectivity by sending requests to the VIP, such as curl http://<VIP> or telnet <VIP> <port>. A simple example load balances HTTP traffic on port 80 across two real servers in DR mode. Assume the director has IP 192.168.1.100, VIP 192.168.1.200, and real servers at 192.168.1.101:80 and 192.168.1.102:80. On the director:
  • Enable forwarding: sysctl -w net.ipv4.ip_forward=1
  • Add VIP: ip addr add 192.168.1.200/32 dev eth0
  • Add virtual server: ipvsadm -A -t 192.168.1.200:80 -s rr
  • Add first real server: ipvsadm -a -t 192.168.1.200:80 -r 192.168.1.101:80 -g -w 1
  • Add second real server: ipvsadm -a -t 192.168.1.200:80 -r 192.168.1.102:80 -g -w 1
On each real server, configure a loopback alias for the VIP to handle responses: ip addr add 192.168.1.200/32 dev lo and ip route add local 192.168.1.200 dev lo, plus sysctl -w net.ipv4.conf.lo.arp_ignore=1, sysctl -w net.ipv4.conf.lo.arp_announce=2, sysctl -w net.ipv4.conf.all.arp_ignore=1, and sysctl -w net.ipv4.conf.all.arp_announce=2 to suppress ARP responses. Persist the sysctl settings by adding them to /etc/sysctl.conf and running [sysctl](/page/Sysctl) -p. Verify with ipvsadm -L -n and test via [curl](/page/CURL) http://192.168.1.200.

Advanced Tuning and Monitoring

Advanced tuning of IP Virtual Server (IPVS) involves adjusting kernel parameters via sysctl to optimize connection handling, usage, and in high-load environments. The net.ipv4.vs.conntrack , when set to 1, enables connection tracking integration, which is essential for deployments using rules but may introduce overhead if not required. Timeouts for connections can be configured globally using ipvsadm --set to specify values in seconds for TCP (default 900), TCP FIN_WAIT (default 120), and UDP (default 300), preventing stale entries from consuming resources during idle periods. Cache sizes for hash tables are determined at kernel via CONFIG_IP_VS_TAB_BITS, typically set to 16 for a table of 65536 entries, which scales to handle hundreds of thousands of connections by reducing hash collisions. Performance optimizations focus on forwarding methods and dynamic adjustments to handle scale. Direct Routing (DR) and Tunneling (TUN) modes are preferred for large deployments as they avoid packet rewriting on the director, minimizing CPU usage compared to Network Address Translation (NAT). Weights for real servers can be tuned dynamically with ipvsadm -e -w <weight> (range 0-65535, default 1) to balance load based on server capacity, ensuring healthier nodes receive more traffic. For custom filtering, eBPF programs can be attached via netfilter hooks to extend IPVS behavior, such as implementing advanced routing decisions, though this requires kernel support for eBPF since version 4.4. Monitoring IPVS involves built-in tools and external integrations for real-time insights. The ipvsadm -L --stats --rate command provides metrics like total packets, bytes, connections per second, and inbound/outbound rates for virtual services and real servers, enabling quick assessment of throughput and bottlenecks. Kernel logs accessible via dmesg or /var/log/kern.log capture IPVS errors, such as failures or memory pressure events. For enterprise setups, IPVS integrates with through SNMP-based plugins that monitor virtual and real server states via Keepalived. Similarly, Zabbix supports IPVS via custom scripts and templates that discover services and track connection counts, weights, and health status. Troubleshooting common issues like connection overflows requires proactive configuration. When is low, parameters like net.ipv4.vs.drop_entry (set to 1-3 for auto or always-on dropping of entries) and net.ipv4.vs.drop_packet (rate-based packet drops) prevent table exhaustion by randomly discarding entries or packets. The synchronization daemon, managed via ipvsadm --start-daemon or the ipvs_syncd binary, shares connection states across directors; tune net.ipv4.vs.sync_threshold (default [3 50]) to control sync frequency and net.ipv4.vs.sync_qlen_max (1/32 of pages) to limit queued messages, avoiding overflows in multi-director setups. testing can simulate director failures by stopping the sync daemon and verifying state migration using tools like ipvsadm -L to check connection persistence. Best practices for production IPVS deployments emphasize resource limits and protocol considerations. Limit total connections by monitoring hash table utilization and enabling defenses like net.ipv4.vs.amemthresh (default 1024 pages) to trigger automatic drops under memory pressure. For stateful applications, enable persistent connections with ipvsadm -p <timeout> to maintain session affinity, reducing overhead from frequent rebalancing. IPv6 support in IPVS follows IPv4 configurations but requires enabling net.ipv6.conf.all.forwarding=1 and using dual-stack virtual services, with the same sysctl parameters applying transparently for tuning.

Applications and Comparisons

Real-World Use Cases

IP Virtual Server (IPVS) is widely deployed in high-availability web clusters to distribute traffic across multiple backend servers, often integrated with tools like Keepalived for director failover to ensure seamless redundancy during failures. In such setups, IPVS acts as the load balancer in (LVS) configurations, handling incoming requests at Layer 4 and forwarding them using methods like IP tunneling or direct . A prominent example is Alibaba's platform, where LVS-based IPVS manages massive traffic volumes, supporting millions of requests per second during peak events like shopping festivals through optimized forwarding and high-throughput kernel processing. In container orchestration environments, IPVS powers ' kube-proxy in IPVS mode, enabling efficient load balancing for services across pods in large-scale clusters. This mode leverages the kernel's IPVS implementation to redirect traffic from cluster IP addresses to endpoint pods, outperforming the default mode by using hash tables for constant-time lookups and supporting advanced scheduling algorithms, which reduces CPU overhead and network latency in clusters with over 1,000 services. For instance, in Amazon EKS clusters running IPVS mode, it resolves scalability issues associated with rule proliferation, allowing smoother handling of high pod densities without performance degradation. For content delivery networks (CDNs) and , IPVS employs to balance loads across geo-distributed servers, minimizing latency by allowing real servers to respond directly to clients without routing traffic back through the director. This method is particularly suited for edge deployments where bandwidth efficiency is critical, as it avoids the overhead of . IPVS can integrate with for hybrid Layer 4 and Layer 7 setups, where IPVS handles initial TCP/UDP distribution and applies content-aware on the backends, enhancing scalability in distributed caching scenarios. IPVS is also utilized as a frontend for database systems like and , employing the least-connection scheduling algorithm to distribute TCP connections evenly across replica servers based on current active connections. This algorithm selects the server with the fewest ongoing connections, promoting balanced resource utilization in read-heavy workloads and preventing overload on any single instance. In practice, configurations with Keepalived ensure , making it reliable for persistent database connections without session disruption. Notable case studies highlight IPVS's influence and adoption in major platforms. Facebook's early Layer 4 load balancer was built on the IPVS kernel module, serving global traffic for years before evolving into custom solutions like Katran, which retained IPVS-inspired efficiency for and minimal disruption during backend changes. While versatile, IPVS has limitations in scenarios requiring Layer 7 content-based routing, as it operates solely at the and cannot inspect application data for decisions like URL pathing or header matching. For extreme throughput, such as beyond 10 Gbps, deployments often scale via multi-director setups with tools like Keepalived for shared virtual IPs, distributing load across multiple IPVS instances to achieve aggregate capacities in the tens of Gbps without single-point bottlenecks.

Comparison with Other Load Balancers

IP Virtual Server (IPVS) operates at Layer 4 of the in kernel space, providing efficient transport-layer load balancing with minimal overhead compared to user-space Layer 7 solutions like and . These L7 balancers excel in content-aware routing, such as HTTP header inspection, SSL termination, and path-based forwarding, which IPVS lacks due to its focus on IP and port-level distribution. However, IPVS achieves higher throughput in kernel-mode processing without user-kernel context switches, making it suitable for high-volume TCP/UDP traffic where L7 features are unnecessary. In contrast to hardware appliances like F5 BIG-IP, IPVS is a free, open-source software solution integrated into the Linux kernel, offering cost savings and flexibility for deployment on commodity hardware. F5 BIG-IP provides advanced security features, application delivery controllers, and comprehensive traffic management at Layers 4-7, but at a higher cost and with vendor lock-in. IPVS requires manual tuning for persistence and health checks to match appliance-level reliability, yet it scales well in software-defined environments without proprietary hardware dependencies. Within , IPVS serves as a backend for kube-proxy, delivering scalable in-cluster load balancing superior to legacy mode, particularly for clusters exceeding 1,000 services. Compared to Layer 7 ingress controllers like those using Envoy (e.g., in Istio or Ingress), IPVS provides lower-latency L4 forwarding via hash tables, supporting algorithms like weighted least connections for even distribution across thousands of endpoints. Envoy adds L7 capabilities such as circuit breaking and but introduces higher processing overhead and latency due to user-space proxying. IPVS also outperforms iptables for load balancing by replacing linear rule traversal with O(1) hash lookups, reducing CPU utilization in large-scale setups. For instance, in clusters with 10,000 services and 100,000 pods, IPVS consumes approximately 8% of a CPU core versus 35% for under similar non-keepalive traffic loads of 1,000 requests per second. IPVS handles persistence and weighted scheduling more natively than iptables' DNAT rules, which lack built-in backend weighting. Recent benchmarks as of 2024 demonstrate IPVS achieving throughput comparable to DNAT but surpassing user-space balancers like due to reduced context-switching overhead. IPVS is ideal for high-throughput, L4-only scenarios like database clusters or backends, often integrated with L7 proxies for hybrid deployments requiring both speed and advanced routing.

References

  1. http://www.linuxvirtualserver.org/software/ipvs.html
  2. http://www.linuxvirtualserver.org/
  3. http://www.linuxvirtualserver.org/lmb/LVS-Announce.html
  4. https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies
  5. http://www.linuxvirtualserver.org/docs/scheduling.html
  6. https://kb.linuxvirtualserver.org/wiki/IPVS
  7. https://kb.linuxvirtualserver.org/wiki/Performance_and_Tuning
  8. https://kb.linuxvirtualserver.org/wiki/FAQ
  9. http://www.linuxvirtualserver.org/ols/lvs.pdf
  10. https://kb.linuxvirtualserver.org/wiki/Compiling_ipvsadm_on_different_Linux_distributions
  11. https://kb.linuxvirtualserver.org/wiki/IPv6_load_balancing
  12. https://linux-vs.org/software/ChangeLog
  13. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/migration_planning_guide/sect-kernel-ipvs
  14. https://launchpad.net/ubuntu/jammy/%2Bpackage/ipvsadm
  15. https://codebrowser.dev/linux/linux/include/net/ip_vs.h.html
  16. https://ijcaonline.org/archives/volume186/number64/ramachandran-2025-ijca-924460.pdf
  17. https://docs.mirantis.com/mke/3.5/single/
  18. https://kubernetes.io/blog/2018/07/09/ipvs-based-in-cluster-load-balancing-deep-dive/
  19. https://access.redhat.com/solutions/353853
  20. https://docs.huihoo.com/hpc-cluster/linux-virtual-server/HOWTO/LVS-HOWTO.ipvsadm.html
  21. https://archive.linuxvirtualserver.org/html/lvs-devel/2017-10/msg00004.html
  22. http://www.linuxvirtualserver.org/docs/sync.html
  23. https://docs.kernel.org/networking/ipvs-sysctl.html
  24. https://www.netfilter.org/documentation/HOWTO/netfilter-hacking-HOWTO-3.html
  25. https://medium.com/google-cloud/load-balancing-with-ipvs-1c0a48476c4d
  26. https://codebrowser.dev/linux/linux/net/netfilter/ipvs/ip_vs_conn.c.html
  27. https://linux.die.net/man/8/ipvsadm
  28. https://www.linuxvirtualserver.org/software/ipvs.html
  29. http://www.linuxvirtualserver.org/how.html
  30. http://www.linuxvirtualserver.org/docs/arp.html
  31. https://cateee.net/lkddb/web-lkddb/IP_VS.html
  32. http://www.linuxvirtualserver.org/news.html
  33. https://www.kernel.org/
  34. https://github.com/horms/ipvsadm
  35. https://github.com/prometheus/node_exporter
  36. http://keepalived.readthedocs.io/en/latest/introduction.html
  37. https://www.haproxy.com/documentation/haproxy-aloha/load-balancing/overview/
  38. https://linuxconfig.org/how-to-turn-on-off-ip-forwarding-in-linux
  39. https://www.redhat.com/en/blog/ifconfig-vs-ip
  40. http://www.linuxvirtualserver.org/VS-DRouting.html
  41. http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARP
  42. https://www.kernelconfig.io/config_ip_vs_tab_bits
  43. http://www.linuxvirtualserver.org/docs/sysctl.html
  44. https://github.com/alaskacommunications/nagios_check_keepalived
  45. https://github.com/shinonome/zabbix_ipvsadm
  46. https://github.com/alibaba/LVS
  47. https://alibaba-cloud.medium.com/high-performance-dpdk-based-server-load-balancing-for-alibaba-singles-day-shopping-festival-c126ba38e98d
  48. https://kubernetes.io/docs/reference/networking/virtual-ips/
  49. https://docs.aws.amazon.com/eks/latest/best-practices/ipvs.html
  50. https://www.alibabacloud.com/blog/load-balancing---linux-virtual-server-lvs-and-its-forwarding-modes_595724
  51. https://keepalived-pqa.readthedocs.io/en/latest/scheduling_algorithms.html
  52. https://engineering.fb.com/2018/05/22/open-source/open-sourcing-katran-a-scalable-network-load-balancer/
  53. https://www.relianoid.com/top-load-balancers/haproxy-vs-linux-virtual-server-load-balancer/
  54. https://webthesis.biblio.polito.it/7498/1/tesi.pdf
  55. https://www.relianoid.com/top-load-balancers/f5-networks-big-ip-vs-linux-virtual-server-load-balancer/
  56. https://documentation.suse.com/sle-ha/15-SP7/html/SLE-HA-all/cha-ha-lb.html
  57. https://www.tigera.io/blog/comparing-kube-proxy-modes-iptables-or-ipvs/
  58. https://support.huaweicloud.com/intl/en-us/usermanual-cce/cce_10_0349.html
  59. https://www.researchgate.net/profile/Kimitoshi-Takahashi/publication/337971562_A_Study_on_Portable_Load_Balancer_for_Container_Clusters/links/5df85dd74585159aa4830087/A-Study-on-Portable-Load-Balancer-for-Container-Clusters.pdf
  60. https://severalnines.com/blog/benchmark-load-balancers-mysqlmariadb-galera-cluster/
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.