From 51f41ff14ae47306668970c6b0a935ffaa377c2b Mon Sep 17 00:00:00 2001
From: Gregory Colpart <gcolpart+git@evolix.fr>
Date: Fri, 17 Aug 2018 21:28:14 +0200
Subject: [PATCH] Workaround by Evolix security team for old kernels and
 vulnerabiliy CVE-2018-5391 (FragmentSmack)

---
 evolinux-base/tasks/kernel.yml | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/evolinux-base/tasks/kernel.yml b/evolinux-base/tasks/kernel.yml
index 10f0c00b..b9b8c99c 100644
--- a/evolinux-base/tasks/kernel.yml
+++ b/evolinux-base/tasks/kernel.yml
@@ -50,4 +50,36 @@
     reload: yes
   when: evolinux_kernel_cve20165696
 
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv4.ipfrag_low_thresh
+    value: 196608
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv6.ip6frag_low_thresh
+    value: 196608
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv4.ipfrag_high_thresh
+    value: 262144
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
+- name: Patch for TCP stack vulnerabiliy CVE-2018-5391 (FragmentSmack)
+  sysctl:
+    name: net.ipv6.ip6frag_high_thresh
+    value: 262144
+    sysctl_file: "{{ evolinux_kernel_sysctl_path }}"
+    state: present
+    reload: yes
+
 - meta: flush_handlers