From 10f1d8d3ba0394a8b5669013596190ea2ff38030 Mon Sep 17 00:00:00 2001
From: Florian Westphal <fw@strlen.de>
Date: Fri, 3 May 2019 12:35:38 +0200
Subject: extensions: SYNPROXY: should not be needed anymore on current kernels

SYN packets do not require taking the listener socket lock anymore
as of 4.4 kernel, i.e. this target should not be needed anymore.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 extensions/libxt_SYNPROXY.man | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'extensions/libxt_SYNPROXY.man')

diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man
index 25325fc2..30a71ed2 100644
--- a/extensions/libxt_SYNPROXY.man
+++ b/extensions/libxt_SYNPROXY.man
@@ -1,6 +1,8 @@
 This target will process TCP three-way-handshake parallel in netfilter
 context to protect either local or backend system. This target requires
 connection tracking because sequence numbers need to be translated.
+The kernels ability to absorb SYNFLOOD was greatly improved starting with
+Linux 4.4, so this target should not be needed anymore to protect Linux servers.
 .TP
 \fB\-\-mss\fP \fImaximum segment size\fP
 Maximum segment size announced to clients. This must match the backend.
-- 
cgit v1.2.3