From 93861a9714f689e597efb5d11030cbc996148b90 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 18 Jun 2019 22:27:34 +0200
Subject: disable TCP Sack

---
 roles/base/vars/main.yml | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'roles/base/vars')

diff --git a/roles/base/vars/main.yml b/roles/base/vars/main.yml
index 557a4a7c..d228b088 100644
--- a/roles/base/vars/main.yml
+++ b/roles/base/vars/main.yml
@@ -43,3 +43,8 @@ sysctl_config:
 
   # Prevent against the common 'syn flood attack'
   net.ipv4.tcp_syncookies: 1
+
+  # Disable Selective Acknowledgement (SACK)
+  # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
+  # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+  net.ipv4.tcp_sack: 0
-- 
cgit v1.2.3