httpd: add comment about faster rejection of denied IPs
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
ad16f89547
commit
ac4a0b3be7
@ -2632,6 +2632,13 @@ static void mini_httpd(int server_socket)
|
||||
n = accept(server_socket, &fromAddr.u.sa, &fromAddr.len);
|
||||
if (n < 0)
|
||||
continue;
|
||||
//TODO: we can reject connects from denied IPs right away;
|
||||
//also, we might want to do one MSG_DONTWAIT'ed recv() here
|
||||
//to detect immediate EOF,
|
||||
//to avoid forking a whole new process for attackers
|
||||
//who open and close lots of connections.
|
||||
//(OTOH, the real mitigtion for this sort of thing is
|
||||
//to ratelimit connects in iptables)
|
||||
|
||||
/* set the KEEPALIVE option to cull dead connections */
|
||||
setsockopt_keepalive(n);
|
||||
|
Loading…
Reference in New Issue
Block a user