Take care.
If the firewall is setup to "reject" the packet rather than "denying"
it, a response is sent to the source. Thus, you'd have to
1. Look up firewall rules, drop packet if firewall says "deny".
2. Compare checksums, drop if mismatch.
3. If firewall said "reject", send response and drop packet.
Furthermore, byte counters in firewall rules would be wrong, packet
counters would include some of the corrupted packets.
And you have to check that the packet is long enough in the
firewalling code (unless you do 1. size checks, 2. firewall check,
3. checksum check,...).
And finally, make sure that you don't do any accounting before the
checksum check, or you're going to see an accounted bandwidth of
300 kBit/s on a 64 kBit/s line some day...
Conclusion: Do checksum checks first, then all the other stuff. It'll
prevent a whole bunch of bugs and make the code a bit simpler.
-- Jan- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/