Hi Paul, On Thu, 2013-05-16 at 12:29 +0100, Paul Fitzgibbons wrote: > Hi, > > Can someone please let me know if there is a way of restricting target > discovery based upon IP addresses? > > We currently use IET and use targets.allow to restrict this (We have > multiple VLANs on our SAN servers and do this to restrict traffic to > relevant subnets). > > Does this functionality exist in LIO? > Based on IP addresses, no. Namely because we expect multiple connections over multiple interfaces may change over time, and tying target access to InitiatorName vs. IP address works better as the former is required by RFC-3720 to be persistent for the life time of the initiator node, where the latter has no such requirement. Access to perform sendtargets discovery can be limited via CHAP discovery authentication, which can be configured via targetcli here: http://www.linux-iscsi.org/wiki/ISCSI#Enable_discovery_control Access to individual TargetName+TargetPortalGroupTag endpoints, and the LUNs behind them are restricted via explicit initiator NodeACLs + MappedLUNs. This is also done via targetcli, and a brief example is here: http://www.linux-iscsi.org/wiki/ISCSI#Define_access_rights targetcli has inline help for these operations (use help or <TAB><TAB>), and more info about general usage can be found here: http://www.linux-iscsi.org/wiki/Targetcli#Basic_concepts --nab -- To unsubscribe from this list: send the line "unsubscribe target-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
