From 39d93b5a9f4d2061023bc9cfbc2e0f47d4106845 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Tue, 4 Oct 2022 00:06:47 +0200
Subject: core/base: re-enable TCP sack

---
 roles/core/base/vars/main.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

(limited to 'roles/core')

diff --git a/roles/core/base/vars/main.yml b/roles/core/base/vars/main.yml
index 2312a8b9..05d021fd 100644
--- a/roles/core/base/vars/main.yml
+++ b/roles/core/base/vars/main.yml
@@ -44,7 +44,6 @@ base_sysctl_config:
   # Prevent against the common 'syn flood attack'
   net.ipv4.tcp_syncookies: 1
 
-  # Disable Selective Acknowledgement (SACK)
-  # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
-  # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
-  net.ipv4.tcp_sack: 0
+  # re-enable Selective Acknowledgement (SACK)
+  # CVE-2019-11477, CVE-2019-11478, CVE-2019-11479 have been long fixed now
+  net.ipv4.tcp_sack: 1
-- 
cgit v1.2.3