On Wed, Aug 08, 2001 at 01:15:31PM +0800, David Xu wrote:
> my opinion is don't use accept filter, it can become DOS attack target.
> sending a big http header and don't complete it, it does not let apache know a
>connection
> is already made and there is no timeout counter like which in Apache server.
> using an accept filter can not get so much benifit.
you don't run high performance, high load web servers. if you did, you
might actually understand the problem (spending too many cycles checking
for connections v. actually dealing with the connections).
there most certainly is a timeout counter, its the same one the rest of
the connections in the listen queue use. if you feel that there are
deficiencies in the listen queue drop methods (see sodropablereq()) then
feel free to submit a patch or two.
if you feel that the http accept filter is too heavy handed an approach,
you may also use the data-ready accept filter (assuming you actually have
a webserver and this isn't actually another troll).
--
Bill Fumerola / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
