X-Git-Url: https://git.realraum.at/?a=blobdiff_plain;f=ansible%2Froles%2Fbase%2Ftasks%2F06net.yml;h=e257b9bed8afc899e24d8ae9cd7f276e1eff1a9c;hb=a51261d0be931e480aadc98b2647c336deaf6846;hp=17a595090a72a84953cf82c61b917528d9e2e15e;hpb=15a29a66eccba8c13ffcb8a95c35d02d0c8abd51;p=noc.git

diff --git a/ansible/roles/base/tasks/06net.yml b/ansible/roles/base/tasks/06net.yml
index 17a5950..e257b9b 100644
--- a/ansible/roles/base/tasks/06net.yml
+++ b/ansible/roles/base/tasks/06net.yml
@@ -1,14 +1,13 @@
 ---
-- name: Configure to load network-related kernel modules
+- name: Load the tcp_bbr kernel module
+  modprobe:
+    name: tcp_bbr
+
+- name: Persist the tcp_bbr module to configuration
   copy:
     dest: /etc/modules-load.d/local-network.conf
-    content: '{{ network_modules | join("\n") }}'
+    content: tcp_bbr
 
-- name: Load network-related kernel modules
-  modprobe:
-    name: "{{ item }}"
-  with_items: "{{ network_modules }}"
-    
 - name: Set network-related sysctl options
   sysctl:
     sysctl_file: /etc/sysctl.d/local-network.conf
@@ -25,5 +24,10 @@
     # C.f. https://queue.acm.org/detail.cfm?id=3022184
     net.ipv4.tcp_congestion_control: bbr
 
+    # Disable Selective Acknowledgement (SACK)
+    # Workaround CVE-2019-11477, CVE-2019-11478, CVE-2019-11479
+    # See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
+    net.ipv4.tcp_sack: 0
+
   loop_control:
     label: "{{ item.key }}"