On Wed, Oct 15, 2014 at 02:19:45PM +0200, Gerd Hoffmann wrote: > Also track the number of connections in "connecting" and "shared" state > (additionally to "exclusive" state). Apply a configurable limit to > these connections. > > The logic to apply the limit to connections in "shared" state is pretty > simple: When the limit is reached no new connections are allowed. > > The logic to apply the limit to connections in "connecting" state (this > is the state you are in *before* successfull authentication) is > slightly different: A new connect kicks out the oldest client which is > still in "connecting" state. This avoids a easy DoS by unauthenticated > users by simply opening connections until the limit is reached.
I'd suggest that rather than kicking off the oldest client QEMU should simply stop calling accept() when it reaches the limit of active unauthenticated client connections. By allowing the connection to succeeed & then kicking off another client QEMU's still burning CPU to do memory allocation & free'ing for each client. Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
