From: Florian Westphal <fw@strlen.de>
Date: Fri, 3 May 2019 10:35:38 +0000 (+0200)
Subject: extensions: SYNPROXY: should not be needed anymore on current kernels
X-Git-Tag: v1.8.3~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=10f1d8d3ba0394a8b5669013596190ea2ff38030;p=thirdparty%2Fiptables.git

extensions: SYNPROXY: should not be needed anymore on current kernels

SYN packets do not require taking the listener socket lock anymore
as of 4.4 kernel, i.e. this target should not be needed anymore.

Signed-off-by: Florian Westphal <fw@strlen.de>
---

diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man
index 25325fc2..30a71ed2 100644
--- a/extensions/libxt_SYNPROXY.man
+++ b/extensions/libxt_SYNPROXY.man
@@ -1,6 +1,8 @@
 This target will process TCP three-way-handshake parallel in netfilter
 context to protect either local or backend system. This target requires
 connection tracking because sequence numbers need to be translated.
+The kernels ability to absorb SYNFLOOD was greatly improved starting with
+Linux 4.4, so this target should not be needed anymore to protect Linux servers.
 .TP
 \fB\-\-mss\fP \fImaximum segment size\fP
 Maximum segment size announced to clients. This must match the backend.