Hi, On Tue, Dec 13, 2022 at 08:49:18PM +0300, Maxim Dounin wrote: > Hello! > > On Fri, Dec 09, 2022 at 09:38:47AM +0000, Roman Arutyunyan wrote: > > > # HG changeset patch > > # User Roman Arutyunyan <a...@nginx.com> > > # Date 1670322119 0 > > # Tue Dec 06 10:21:59 2022 +0000 > > # Branch quic > > # Node ID 1038d7300c29eea02b47eac3f205e293b1e55f5b > > # Parent b87a0dbc1150f415def5bc1e1f00d02b33519026 > > QUIC: ignore server address while looking up a connection. > > > > The server connection check was copied from the common UDP code in > > c2f5d79cde64. > > In QUIC it does not make much sense though. Technically client is not > > allowed > > to migrate to a different server address. However, migrating withing a > > single > > wildcard listening does not seem to affect anything.
[..] > As a trivial example, one can block packets to a particular server > address on a firewall (in an attempt to stop an attack), with > something like "block from any to 192.0.2.1", assuming it will > stop traffic to the server in question. Still, with the proposed > change, it will be possible to access resources with a previously > established QUIC connection as long as the attacker knows other IP > addresses used on the same physical server. This indeed makes sense. I will remove this patch from the series. -- Roman Arutyunyan _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel
