emqx4.3/changes/ce/feat-14219.en.md

Enhanced Connection Rate Limiter for Improved System Resilience

• Improved system stability and responsiveness under high connection rates.
  Previously, listener acceptors would ignore new connection attempts when the rate limit was exceeded, potentially resulting in an unrecoverable state if a large number of clients connected or reconnected frequently within a short period. Listeners now accept pending connections but immediately close them if the rate limit is reached, reducing resource strain and increasing system resilience during peak loads.

• A new listener option, nolinger, has been introduced.
  When set to true, a TCP-RST is sent immediately upon socket closure, helping to mitigate SYN flood attacks and further enhancing connection-handling efficiency.

• MQTT listeners' max_connection config value is now capped by system limits.
  It cannot exceed system limits: ulimit from the OS and node.process_limit.

  • If configured to infinity or a value greather than system limit, it is automatically adjusted to the system limit.
    

• SSL listeners' ssl_options config value is now validated before changes.
  Previously, invalid SSL options, such as unsupported TLS versions, could be accepted when configuring/reconfiguring a listener, causing clients to fail to connect after the change. Now, such invalid options are detected early:

  • If a listener is configured with invalid SSL options, the node will fail to boot.
    
  • If invalid SSL options are requested via the dashboard or config API, the request will fail with status code 400.