On 01/26/09 11:50, Sangeeta Misra wrote: > On 01/26/09 11:44, Erik Nordmark wrote: >> Sangeeta Misra wrote: >>> One reason for ILB machine to configure IP Filter may be to disallow >>> all incoming packets except for those that are for load balancing and >>> ssh. I dont know how common this case may be, but I am wondering if >>> this capabilty can be added in ILB itself, so that the user does not >>> require IP FIlter configuration for this purpose. We can invoke >>> this via an additional lbadm option called "dedicated" or something >> When and if we do a GUI/WUI for a load balancer it probably makes >> sense to expose filtering there. But I don't think it makes sense to >> put things in one CLI that already exist in other CLI. > OK >>> This wquld probably mean that at ip_input() we check to see if packet >>> is ssh protocol, if its not, we match the packets dest port and >>> protocol to those that show up in lb rules or else drop the packet. >> Why not just configure IP Filter with a ruleset to handle this? >> >> Erik > Possibly perf reason?
aren't we starting down a slippery slope once we have this special case? what's to stop someone else from demanding "just one" other special case ...? Michael -- Michael Schuster http://blogs.sun.com/recursion Recursion, n.: see 'Recursion'
