From 92324f8cbd8f92b67b80eb2d30dabd9e39dbd773 Mon Sep 17 00:00:00 2001
From: Vincent Li <vincent.mc.li@gmail.com>
Date: Thu, 14 Nov 2024 18:30:29 +0000
Subject: [PATCH] ddos: set net.ipv4.tcp_syncookies to 1

set tcp_syncookies to 1 alone with iptables
SYNPROXY module reduce latency, this improves
situation when XDP acceleration is not enabled
and just let iptables SYNPROXY handles SYN flood
attack, see [0]

[0]: https://bugzilla.kernel.org/show_bug.cgi?id=219500

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>
---
 src/initscripts/system/ddos | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/initscripts/system/ddos b/src/initscripts/system/ddos
index 419b0bb37..c48769adf 100755
--- a/src/initscripts/system/ddos
+++ b/src/initscripts/system/ddos
@@ -53,7 +53,7 @@ get_ports () {
 }
 
 load_syncookie () {
-	sysctl -w net.ipv4.tcp_syncookies=2
+	sysctl -w net.ipv4.tcp_syncookies=1
 	sysctl -w net.ipv4.tcp_timestamps=1
 	sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
 	/usr/sbin/xdp-loader status red0 | grep 'syncookie_xdp'