core/base: re-enable TCP sack

author: Christian Pointner <equinox@spreadspace.org> 2022-10-04 00:06:47 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2022-10-04 00:06:47 +0200
commit: 39d93b5a9f4d2061023bc9cfbc2e0f47d4106845 (patch)
tree: d85d89f8eae1cb77d1d195d86a94faba85511eec /roles/core
parent: accesspoints: some more tweaks (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/roles/core/base/vars/main.yml b/roles/core/base/vars/main.yml
index 2312a8b9..05d021fd 100644
--- a/roles/core/base/vars/main.yml
+++ b/roles/core/base/vars/main.yml
@@ -44,7 +44,6 @@ base_sysctl_config:
   # Prevent against the common 'syn flood attack'
   net.ipv4.tcp_syncookies: 1
 
-  # Disable Selective Acknowledgement (SACK)
-  # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
-  # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
-  net.ipv4.tcp_sack: 0
+  # re-enable Selective Acknowledgement (SACK)
+  # CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 have been long fixed now
+  net.ipv4.tcp_sack: 1
author	Christian Pointner <equinox@spreadspace.org>	2022-10-04 00:06:47 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2022-10-04 00:06:47 +0200
commit	39d93b5a9f4d2061023bc9cfbc2e0f47d4106845 (patch)
tree	d85d89f8eae1cb77d1d195d86a94faba85511eec /roles/core
parent	accesspoints: some more tweaks (diff)