Michael Schuster wrote: > On 01/26/09 11:50, Sangeeta Misra wrote: > >> On 01/26/09 11:44, Erik Nordmark wrote: >> >>> Sangeeta Misra wrote: >>> >>>> One reason for ILB machine to configure IP Filter may be to disallow >>>> all incoming packets except for those that are for load balancing and >>>> ssh. I dont know how common this case may be, but I am wondering if >>>> this capabilty can be added in ILB itself, so that the user does not >>>> require IP FIlter configuration for this purpose. We can invoke >>>> this via an additional lbadm option called "dedicated" or something >>>> >>> When and if we do a GUI/WUI for a load balancer it probably makes >>> sense to expose filtering there. But I don't think it makes sense to >>> put things in one CLI that already exist in other CLI. >>> >> OK >> >>>> This wquld probably mean that at ip_input() we check to see if packet >>>> is ssh protocol, if its not, we match the packets dest port and >>>> protocol to those that show up in lb rules or else drop the packet. >>>> >>> Why not just configure IP Filter with a ruleset to handle this? >>> >>> Erik >>> >> Possibly perf reason? >> > > aren't we starting down a slippery slope once we have this special case? > what's to stop someone else from demanding "just one" other special case ...? >
My thoughts exactly. Darren
