[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Henning Brauer <henning () cvs ! openbsd ! org>
Date:       2007-05-29 0:50:41
Message-ID: 200705290050.l4T0ofdi026152 () cvs ! openbsd ! org
[Download RAW message or body]

CVSROOT:	/cvs
Module name:	src
Changes by:	henning@cvs.openbsd.org	2007/05/28 18:50:41

Modified files:
	sys/net        : pf.c 

Log message:
gain us another 10+% of performance.
boring details:
long time ago (in r1.313) code was added to handle protocol checksums:
> Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets,
> and drop packets with invalid checksums. Without such a check, pf would
> return RST/ICMP errors even for packets with invalid checksums, which
> could be used to detect the presence of the firewall, reported by
> "Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt.
that meant we did the checksumming for each and every packet traversing pf.
now only do the checksumming right before we send an RST back, so in all
other cases we save that work.
ok bob theo

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic