5 ip firewall, 6 ip checksum check, Ip firewall – Maxim Integrated 78Q8430 Software Driver User Manual

UG_8430_004

78Q8430 Software Driver Development Guidelines

Rev. 1.0

35

in the standard way and the BLOCK will still be available for a transfer operation. Once the first 252 bytes
of the frame have been read, or the entire frame contents have been read, which ever occurs first, the
BLOCK is no longer available for a transfer operation.

If the ICMP echo request is VLAN tagged, the procedure must be modified to account for the additional
VLAN data in the Ethernet frame. To accomplish this, all the SNOOP addresses except those in STEP 7
must be incremented by four.

5.5 IP

Firewall

The CAM can be configured to drop frames based on source IP address. This saves the host from
wasting many cycles processing a frame that will ultimately be dropped by the host firewall anyway. For
example, the class A IP subnet 127.0.0.0 is reserved for the localhost domain. It is always an error for an
internet datagram with a source IP address in the localhost domain to be received on an outside
interface.

Use the following procedure to leverage the spare rules in the default CAM rule set to automatically drop
all Ethernet frames that contain illegal internet datagrams with a source IP address in the 127.0.0.0 class
A subnet.

STEP 1: Change the Offset for CAM rule 0x23 to 0x0A.

• Set the CAR ADDR field to 0x23.

• Set the RCR Byte Offset field to 0x0A.

Normally, rule 0x23 skips over the IP header. Changing the Offset prevents this to create an
opportunity to act on the IP addresses. An offset of 10 causes the next byte matched by the CAM to
be the first byte in the IP source address field.

STEP 2: Configure CAM rule 0x1A to check for the localhost domain.

Reg. Field

Value

to

write

CAR ADDR

0x1A

Data Match

Value of IP source byte [0] (0x7F)

Data Mask

0xFF

Previous Hit Match

0x23

RMR

Previous Hit Mask

0x7F

Byte Offset

Retain default: 0x00

Interrupt

Retain default: 0

Control Logic Action

Retain default: NOP

RCR

Match Control

DROP

5.6 IP Checksum Check

RFC 791 specifies that, if the header checksum fails, the internet datagram be discarded at once by the
entity which detects the error. If the receive packet status indicates that the IP header checksum is bad,
the driver should use the host drop procedure to drop the frame. This saves the overhead of reading the
frame and calculating the checksum on the host side.

The default CAM rule set checks for IP header checksums in Ethernet payloads, even when the Len/Typ
field is not IP. If desired, the CAM can be reconfigured to test IP header checksums only on Ethernet
frames with a Len/Typ value that indicates an IP payload.