diff options
author | Florian Westphal <fw@strlen.de> | 2019-05-03 12:35:38 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2019-05-08 16:33:27 +0200 |
commit | 10f1d8d3ba0394a8b5669013596190ea2ff38030 (patch) | |
tree | 3e8fb743b34f6ccd9e7b32577347c997b4d4d2c8 /extensions/libxt_SYNPROXY.man | |
parent | 2ae1099a42e6a0f06de305ca13a842ac83d4683e (diff) |
extensions: SYNPROXY: should not be needed anymore on current kernels
SYN packets do not require taking the listener socket lock anymore
as of 4.4 kernel, i.e. this target should not be needed anymore.
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'extensions/libxt_SYNPROXY.man')
-rw-r--r-- | extensions/libxt_SYNPROXY.man | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man index 25325fc2..30a71ed2 100644 --- a/extensions/libxt_SYNPROXY.man +++ b/extensions/libxt_SYNPROXY.man @@ -1,6 +1,8 @@ This target will process TCP three-way-handshake parallel in netfilter context to protect either local or backend system. This target requires connection tracking because sequence numbers need to be translated. +The kernels ability to absorb SYNFLOOD was greatly improved starting with +Linux 4.4, so this target should not be needed anymore to protect Linux servers. .TP \fB\-\-mss\fP \fImaximum segment size\fP Maximum segment size announced to clients. This must match the backend. |