From ac4a0b3be77f2b4280fd95849a0259e1351eeb43 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Wed, 5 May 2021 15:31:18 +0200 Subject: [PATCH] httpd: add comment about faster rejection of denied IPs Signed-off-by: Denys Vlasenko --- networking/httpd.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/networking/httpd.c b/networking/httpd.c index fb6ffe542..56ab85b82 100644 --- a/networking/httpd.c +++ b/networking/httpd.c @@ -2632,6 +2632,13 @@ static void mini_httpd(int server_socket) n = accept(server_socket, &fromAddr.u.sa, &fromAddr.len); if (n < 0) continue; +//TODO: we can reject connects from denied IPs right away; +//also, we might want to do one MSG_DONTWAIT'ed recv() here +//to detect immediate EOF, +//to avoid forking a whole new process for attackers +//who open and close lots of connections. +//(OTOH, the real mitigtion for this sort of thing is +//to ratelimit connects in iptables) /* set the KEEPALIVE option to cull dead connections */ setsockopt_keepalive(n);