[git commit] httpd: add comment about faster rejection of denied IPs
Denys Vlasenko
vda.linux at googlemail.com
Wed May 5 13:31:18 UTC 2021
commit: https://git.busybox.net/busybox/commit/?id=ac4a0b3be77f2b4280fd95849a0259e1351eeb43
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
networking/httpd.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/networking/httpd.c b/networking/httpd.c
index fb6ffe542..56ab85b82 100644
--- a/networking/httpd.c
+++ b/networking/httpd.c
@@ -2632,6 +2632,13 @@ static void mini_httpd(int server_socket)
n = accept(server_socket, &fromAddr.u.sa, &fromAddr.len);
if (n < 0)
continue;
+//TODO: we can reject connects from denied IPs right away;
+//also, we might want to do one MSG_DONTWAIT'ed recv() here
+//to detect immediate EOF,
+//to avoid forking a whole new process for attackers
+//who open and close lots of connections.
+//(OTOH, the real mitigtion for this sort of thing is
+//to ratelimit connects in iptables)
/* set the KEEPALIVE option to cull dead connections */
setsockopt_keepalive(n);
More information about the busybox-cvs
mailing list