From 6e97c635d2bfe9ef73f72aa165443cfcefc6c82c Mon Sep 17 00:00:00 2001

From: Eric Garver <eric@garver.life>

Date: Mon, 17 May 2021 15:43:13 -0400

Subject: [PATCH 29/30] docs(conf): note that IPv6_rpfilter has a performance

 penalty

Fixes: rhbz 1871860

(cherry picked from commit aad59154e16f669bf85e9894e7e0e19061d370d4)

(cherry picked from commit 5391c26d3e730f283d1f00f7ac1869aeb2251837)

---

 doc/xml/firewalld.conf.xml | 9 +++++++++

 1 file changed, 9 insertions(+)

diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml

index c21ef87813bc..0bf4c2d4d011 100644

--- a/doc/xml/firewalld.conf.xml

+++ b/doc/xml/firewalld.conf.xml

@@ -114,6 +114,15 @@

 	    If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.

             For IPv4 the rp_filter is controlled using sysctl.

 	  </para>

+      <para>

+        <emphasis role="bold">Note</emphasis>: This feature has a performance

+        impact. In most cases the impact is not enough to cause a noticeable

+        difference. It requires route lookups and its execution occurs before

+        the established connections fast path. As such it can have a

+        significant performance impact if there is a lot of traffic. It's

+        enabled by default for security, but can be disabled if performance is

+        a concern.

+      </para>

 	</listitem>

       </varlistentry>

-- 

2.27.0