[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-cvs
Subject:    CVS: cvs.openbsd.org: src
From:       Daniel Hartmeier <dhartmei () cvs ! openbsd ! org>
Date:       2003-01-31 19:22:11
[Download RAW message or body]

CVSROOT:	/cvs
Module name:	src
Changes by:	dhartmei@cvs.openbsd.org	2003/01/31 12:22:11

Modified files:
	sys/net        : pf.c 

Log message:
Check protocol (TCP/UDP/ICMP/ICMP6) checksums of all incoming packets,
and drop packets with invalid checksums. Without such a check, pf would
return RST/ICMP errors even for packets with invalid checksums, which
could be used to detect the presence of the firewall, reported by
"Ed White" in http://www.phrack.org/phrack/60/p60-0x0c.txt.

To minimize the cost of checksum calculations, mbuf flags set by
network interfaces capable of hardware checksumming are honoured,
and set when pf performs the calculation, so the TCP/IP stack itself
will not repeat the calculation for the same packet later on.

ok mcbride@ and henning@

[prev in list] [next in list] [prev in thread] [next in thread]