httpd: add comment about faster rejection of denied IPs

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
author: Denys Vlasenko 2021-05-05 15:31:18 +0200
committer: Denys Vlasenko 2021-05-05 15:31:18 +0200
commit: ac4a0b3be77f2b4280fd95849a0259e1351eeb43 (patch)
tree: b48712ef5b178a7bf696aaa1362c0192183e7214 /networking/httpd.c
parent: ad16f89547a5e335f3c45506eb5b43bcc1bf505e (diff)
download: busybox-ac4a0b3be77f2b4280fd95849a0259e1351eeb43.zip
busybox-ac4a0b3be77f2b4280fd95849a0259e1351eeb43.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/networking/httpd.c b/networking/httpd.c
index fb6ffe5..56ab85b 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -2632,6 +2632,13 @@ static void mini_httpd(int server_socket)
 		n = accept(server_socket, &fromAddr.u.sa, &fromAddr.len);
 		if (n < 0)
 			continue;
+//TODO: we can reject connects from denied IPs right away;
+//also, we might want to do one MSG_DONTWAIT'ed recv() here
+//to detect immediate EOF,
+//to avoid forking a whole new process for attackers
+//who open and close lots of connections.
+//(OTOH, the real mitigtion for this sort of thing is
+//to ratelimit connects in iptables)
 
 		/* set the KEEPALIVE option to cull dead connections */
 		setsockopt_keepalive(n);
author	Denys Vlasenko	2021-05-05 15:31:18 +0200
committer	Denys Vlasenko	2021-05-05 15:31:18 +0200
commit	ac4a0b3be77f2b4280fd95849a0259e1351eeb43 (patch)
tree	b48712ef5b178a7bf696aaa1362c0192183e7214 /networking/httpd.c
parent	ad16f89547a5e335f3c45506eb5b43bcc1bf505e (diff)
download	busybox-ac4a0b3be77f2b4280fd95849a0259e1351eeb43.zip busybox-ac4a0b3be77f2b4280fd95849a0259e1351eeb43.tar.gz