Mikhail Morfikov <mmorfikov@xxxxxxxxx> wrote: > I was using SYNPROXY in the past, but the rules have been > commented out for some time now. I just wanted to port all of > my rules to nftables, and since SYNPROXY was there, I wanted > to port it too. > > BTW: why SYNPROXY is useless nowadays? TCP stack was changed to allow lockless handling of listening socket lookups, so there is no point in using conntrack + synproxy to avoid that lookup cost.
