From 6e97c635d2bfe9ef73f72aa165443cfcefc6c82c Mon Sep 17 00:00:00 2001
From: Eric Garver <eric@garver.life>
Date: Mon, 17 May 2021 15:43:13 -0400
Subject: [PATCH 29/30] docs(conf): note that IPv6_rpfilter has a performance
 penalty

Fixes: rhbz 1871860
(cherry picked from commit aad59154e16f669bf85e9894e7e0e19061d370d4)
(cherry picked from commit 5391c26d3e730f283d1f00f7ac1869aeb2251837)
---
 doc/xml/firewalld.conf.xml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/doc/xml/firewalld.conf.xml b/doc/xml/firewalld.conf.xml
index c21ef87813bc..0bf4c2d4d011 100644
--- a/doc/xml/firewalld.conf.xml
+++ b/doc/xml/firewalld.conf.xml
@@ -114,6 +114,15 @@
 	    If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.
             For IPv4 the rp_filter is controlled using sysctl.
 	  </para>
+      <para>
+        <emphasis role="bold">Note</emphasis>: This feature has a performance
+        impact. In most cases the impact is not enough to cause a noticeable
+        difference. It requires route lookups and its execution occurs before
+        the established connections fast path. As such it can have a
+        significant performance impact if there is a lot of traffic. It's
+        enabled by default for security, but can be disabled if performance is
+        a concern.
+      </para>
 	</listitem>
       </varlistentry>
 
-- 
2.27.0