[PATCH] Mail: add the "reuseport" option of the "listen" directive
Robert Mueller
robm at fastmail.fm
Thu Aug 19 01:23:05 UTC 2021
> Since reuseport uses hash of the source address to balance
> incoming connections between sockets, the client can choose a
> source port to use so the hash will direct the connection to a
> particular socket, that is, to a particular worker process.
But if a client is choosing the same source-ip:source-port, it's not a real client or OS TCP stack, it's some system using raw packets designed for attacking another system, and in that case there's many other attack options available. I'm not convinced this is a large real-world concern for most users of nginx.
IMHO I would still really like to see this patch applied because:
1. The patch is relatively small and matches the http and stream modules
2. It makes the mail module consistent with the http and stream modules which both support reuseport on their listen arguments
3. The current situation is clearly really bad, and other users have reported that they're seeing the same issue. Your suggestion is to recompile nginx with a particular option disabled, but this isn't required for stream or http handlers, just adding reuseport is an acceptable option to fix those handlers, and I think it should be something mail handlers can do as well.
Regards
--
Rob Mueller
robm at fastmail.fm
More information about the nginx-devel
mailing list