How can I refuse a socket connection in C?

c sockets

14,669

Solution 1

To my knowledge, that isn't how TCP works. The accept(..) call will always return with the client details. There is no way to peek at the connection and selectively refuse.

The way you are doing it now is actually the correct way: accept and then close. In case you have another message structure over and above this layer, you can create a custom "Reject message". This option completely depends on your use case.

In case you are looking for rejecting on the basis of IP address, its not within your apps domain. Its the job of your firewall (As @Bart Friederichs says). That way, the request will not even touch the TCP stack.

Actually I want strictly one connection only on this particular port. Any other connection should ideally fail in a very obvious way.

Do not let the accept call in your control flow. Only when you wait on accept will your program wait for a socket connection, never otherwise.

Solution 2

To get the behavior you want (only accept one connection at a time, other clients attempting should get a failure), there are two choices.

You can close your listen socket after you have accepted a connection. Re-create your listen socket after the accepted connection closes.
You can close newly established connections if there is already a connection in progress. If you want the client to see a TCP reset, most TCP stacks will trigger one if you enable the linger option with a timeout of 0.

struct linger lo = { 1, 0 };
setsockopt(s, SOL_SOCKET, SO_LINGER, &lo, sizeof(lo));
close(s);

Solution 3

In standard socket APIs on most platforms, there is no way to reject a connection. You must accept() the connection and then close it immediately if you don't want it.

The exception to this rule is the Winsock-specific WSAAccept() function. It provides a callback that allows an application to decide, on a per-connection basis, whether a connection should be accepted, rejected, or kept in the backlog queue.

Solution 4

It might be helpful

to close the listening server socket after having successfully accept()ing the client connection and
to re-establish it after the client connection has gone due to whatever reason.

Solution 5

A little late to the party, but you can use WSAAccept() instead of accept(). WSAAccept() has an optional callback function that allows you to take a peek at who's knocking at the door and decide if you want to answer. Your callback function can return the constants CF_ACCEPT, CF_REJECT and CF_DEFER. The first two are obvious. The 3rd one allows you to defer answering in case you need to decide later. Once you've decided for sure you call WSAAccept() again and either accept or reject.

Unfortunately, you have to either accept or reject in order to remove the entry from the front of the listen queue. The reason I say it's unfortunate is there is an obvious difference to the connecting machine between getting rejected and never getting a response (timeout).

If a hacker is using a port scanner they'll know you're listening on the port if you reject. At that point they can start hacking their way in. It would be nice to be able to remove the entry from the front of the queue without ever doing anything with it such that whoever's on the other end doesn't know you're listening on that port.

View more solutions

14,669

Author by

c00kiemonster

Updated on June 22, 2022

Comments

c00kiemonster almost 2 years
If I want to accept a connection I call accept, but how can I refuse a connection?

In a working socket echo client I have this if statement. In the echo server, how can I make the echo client reach this printf statement?
```
...
if (connect(sock, (struct sockaddr *) &server, sizeof(server)) < 0) { 
    printf("Connecting failed\n"); 
    return 1; 
}
...
```
Exectron almost 8 years

Is the first option really used in practice? It might be better to keep the listening socket open, to ensure the resource is "owned" by the program for its use as long as it is running.
jxh almost 8 years

@CraigMcQueen: I am assuming server ports have been provisioned if this option is used.
Joakim L. Christiansen about 4 years

It's is so strange that there are no functions for this. I'm creating a web server and was thinking that I should make every banned IP timeout (not open the TCP connection and have my OS free up any info allocated for that incoming connection). But that seems not possible without writing my own OS or network driver? I am thinking that if I never open the connection then the routers will not accept more packets from it as well. Hence I can save some bandwidth in case of DoS.
Joakim L. Christiansen about 4 years

A follow up to what I wrote above. Since I'm using Linux I found that the service firewalld can do what I want. I can tell it to "ban" certain IP addresses and to them it will look like I'm not running a server then. And I can interface with this service from my own server :)