Add xdp-synproxy doc in Firewall/Router scenario

Signed-off-by: Vincent Li <vincent.mc.li@gmail.com>

Author: vincentmli

xdp-synproxy/README.org

@@ -59,3 +59,29 @@ could be built statically and shipped with xdp-synproxy container.
   =>               50    syncookie_xdp              908  6c6615566a2e0419  XDP_PASS
 #+END_SRC
 
+XDP SYNPROXY can also be deployed in Linux router/Firewall, it requires iptables SYNPROXY to be added in filter table FORWARD chain. see https://youtu.be/Cj7SeviTXrw?si=adZ0FrGq84Ygmmy0 for example.
+
+#+BEGIN_SRC sh
+   sudo sysctl -w net.ipv4.ip_forward=1
+   sudo sysctl -w net.ipv4.tcp_syncookies=2
+   sudo sysctl -w net.ipv4.tcp_timestamps=1
+   sudo sysctl -w net.netfilter.nf_conntrack_tcp_loose=0
+   sudo iptables -t raw -I PREROUTING -i ens7 -p tcp -m tcp --syn --dport 80 -j CT --notrack
+   sudo iptables -t filter -A FORWARD -i ens7 -p tcp -m tcp --dport 80 -m state --state INVALID,UNTRACKED -j SYNPROXY --sack-perm --timestamp --wscale 7 --mss 1460
+   sudo iptables -t filter -A FORWARD -i ens7 -m state --state INVALID -j DROP
+   sudo ./xdp_synproxy --iface ens7 --ports 80 --mss4 1460 --mss6 1440 --wscale 7 --ttl 64
+
+   Simple test diagram
+
+   client:                                                  server:
+   ip r add 10.6.6.0/24                                     ip r add 10.3.3.0/24
+      via 10.3.3.8                                             via 10.6.6.8
+
+   +---------------+      +----------------------------+    +--------------+
+   |               |      |                            |    |              |
+   | client        |      |     Firewall/router        |    |  server      |
+   | 10.3.3.9      eno2---ens7 10.3.3.8   10.6.6.8  ens9----ens9 10.6.6.6  |
+   |               |      |                            |    |              |
+   |               |      |                            |    |              |
+   +---------------+      +----------------------------+    +--------------+
+#+END_SRC