Re: Firewalling and network resource consumption while under attack

Jamie Lokier (lkd@tantalophile.demon.co.uk)
Fri, 25 Sep 1998 19:09:07 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andi Kleen: "Re: tcp options bug?"
Previous message: Samuli Kaski: "Re: Flood ping"

On Fri, Sep 25, 1998 at 10:04:51AM +0100, Riley Williams wrote:
> >> The buffer has to be copied to main memory and the header
> >> checksummed whatever happens. On a packet that matches the
> >> firewall no further processing is done
>
> > Hmm, what lasts longer, matching against the firewall or
> > calculating the checksum? If checksumming takes longer what about
> > doing the firewall matching first?
>
> As I understand it, the header checksum HAS to be done first since
> it's there to verify that the packet is valid in the first place.
> Until that validation has been done, the details in the header are
> meaningless.

Ah but no. A packet is dropped if the checksum is bad. A packet is
dropped if the firewall says so. There order of these tests doesn't
matter.

But that's not the point. The header checksum isn't all that slow,
though you might still want to drop the packet based on IP addresses
first. It's the data copy and checksum that could maybe be deferred.

Or you could read the IP addresses, protocol and port number from the
header while it's still in the network card maybe, to decide if the
packet shall even be copied off the card. Then you'd skip the header
checksum just to minimise the number of card reads. But I doubt this
would be worth the headaches.

-- Jamie

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andi Kleen: "Re: tcp options bug?"
Previous message: Samuli Kaski: "Re: Flood ping"