Re: [tlug] CPU cycles and packet filtering

[Josh Glover <jmglov@example.com>]

Quoth Godwin Stewart (Thu 2002-12-26 03:37:01PM +0100):
> 
> If, OTOH, instead of dropping all connections from a the subnets in my list,
> I route all incoming packets supposed to go to TCP port 25 into a separate
> chain, and only check IP addies in that chain, have those packets already
> made it to layer 4 or does the filter already "know" that's where the packet
> will end up without the kernel having pushed it up?

I would imagine that the packet has to be de-multiplexed to the transport
layer before any transport layer specific rules can be applied to it. It
would be possible to implement a filter to iterate up the stack (or down,
depending on your view--as a coder, it offends me to think of operations
proceeding *up* a stack! ;) without de-multiplexing the packet (which
almost always involves a buffer copy), but such an implementation would be
pretty inefficient in the general case, in which only a small fraction of
packets received are dropped.

> As a coder, you'll probably appreciate the signature at the bottom of this
> mail :)

[ Much snippage took place here... ]

> There are only 10 kinds of people in the world: Those who understand
> binary, and those who don't.

Heh... a classic! (ThinkGeek has that on a shirt.) Here is another pun
targetted at coders:

Why do programmers confuse Christmas and Halloween?

Because Oct 31 == Dec 25!


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.
http://www.incogen.com/

GPG keyID 0x62386967 (7479 1A7A 46E6 041D 67AE  2546 A867 DBB1 6238 6967)
gpg --keyserver pgp.mit.edu --recv-keys 62386967

Attachment: pgp00053.pgp
Description: PGP signature