|
Hello,
On Mon, 24 Sep 2001, Zachariah Mully wrote:
> It allows one the ability to write iptable rules like this:
> $IPTABLES -I INPUT -p tcp --dport 80 -m string --string .exe? -m
> tate --state ESTABLISHED -j REJECT --reject-with tcp-reset
> I was initially investigating this as a quick and dirty way of blocking
> Nimda from my network (all linux, but I still didn't want that nasty
> little guy flying around on my samba servers) at my firewall, but then
> it occured to me that I could also use this in combination with a
> fwmark-based LVS system to provide pseudo-L7 loadbalancing capabilities.
Isn't this matching too simple to be used in L7 switching? OTOH,
one must take care in what context these rules can apply - we are not
always sure what we match, it is content-dependent.
> In my case I want to loadbalance a set of named based virtual hosts all
> differently, some need SSL, some don't, some I only want balanced off
> two servers instead of three.
Grr, don't expect this from LVS :)
> Has anyone played with this patch? I don't have a lab or the equipment
> to setup a test system, but I figure that with all the intelligent LVS
> users out there, someone must have tried this patch already ;)
>
> Thanks again,
> Zack
Regards
--
Julian Anastasov <ja@xxxxxx>
|
