SYN packets do not require taking the listener socket lock anymore as of 4.4 kernel, i.e. this target should not be needed anymore. Signed-off-by: Florian Westphal <fw@xxxxxxxxx> --- extensions/libxt_SYNPROXY.man | 2 ++ 1 file changed, 2 insertions(+) diff --git a/extensions/libxt_SYNPROXY.man b/extensions/libxt_SYNPROXY.man index 25325fc284ae..30a71ed2d6a5 100644 --- a/extensions/libxt_SYNPROXY.man +++ b/extensions/libxt_SYNPROXY.man @@ -1,6 +1,8 @@ This target will process TCP three-way-handshake parallel in netfilter context to protect either local or backend system. This target requires connection tracking because sequence numbers need to be translated. +The kernels ability to absorb SYNFLOOD was greatly improved starting with +Linux 4.4, so this target should not be needed anymore to protect Linux servers. .TP \fB\-\-mss\fP \fImaximum segment size\fP Maximum segment size announced to clients. This must match the backend. -- 2.21.0
