diff options
author | Denys Vlasenko | 2021-05-05 15:31:18 +0200 |
---|---|---|
committer | Denys Vlasenko | 2021-05-05 15:31:18 +0200 |
commit | ac4a0b3be77f2b4280fd95849a0259e1351eeb43 (patch) | |
tree | b48712ef5b178a7bf696aaa1362c0192183e7214 | |
parent | ad16f89547a5e335f3c45506eb5b43bcc1bf505e (diff) | |
download | busybox-ac4a0b3be77f2b4280fd95849a0259e1351eeb43.zip busybox-ac4a0b3be77f2b4280fd95849a0259e1351eeb43.tar.gz |
httpd: add comment about faster rejection of denied IPs
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | networking/httpd.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/networking/httpd.c b/networking/httpd.c index fb6ffe5..56ab85b 100644 --- a/networking/httpd.c +++ b/networking/httpd.c @@ -2632,6 +2632,13 @@ static void mini_httpd(int server_socket) n = accept(server_socket, &fromAddr.u.sa, &fromAddr.len); if (n < 0) continue; +//TODO: we can reject connects from denied IPs right away; +//also, we might want to do one MSG_DONTWAIT'ed recv() here +//to detect immediate EOF, +//to avoid forking a whole new process for attackers +//who open and close lots of connections. +//(OTOH, the real mitigtion for this sort of thing is +//to ratelimit connects in iptables) /* set the KEEPALIVE option to cull dead connections */ setsockopt_keepalive(n); |