From d305e138528fc1426e7e73422059b840249a3fae Mon Sep 17 00:00:00 2001 From: A Holt Date: Wed, 28 Jul 2021 01:48:14 -0400 Subject: [PATCH] 2-common/tasks/network.yml: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible --- roles/2-common/tasks/network.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/roles/2-common/tasks/network.yml b/roles/2-common/tasks/network.yml index cc1615a58..9b3257e09 100644 --- a/roles/2-common/tasks/network.yml +++ b/roles/2-common/tasks/network.yml @@ -24,3 +24,20 @@ src: iptables dest: /etc/network/if-pre-up.d/iptables mode: '0755' + +# Ongoing rework (e.g. PR #2652) arising from ansible.posix collection changes: +- name: Use 'sysctl' to set 5 network/kernel settings, turning off IPv6 if possible + sysctl: # Places these settings in /etc/sysctl.conf, to survive reboot + name: "{{ item.name }}" + value: "{{ item.value }}" + with_items: + - { name: 'net.ipv4.ip_forward', value: '1' } # Masquerading LAN->Internet + - { name: 'net.ipv4.conf.default.rp_filter', value: '1' } + - { name: 'net.ipv4.conf.default.accept_source_route', value: '0' } + #- { name: 'kernel.sysrq', value: '1' } # OS values differ, Ok? + - { name: 'kernel.core_uses_pid', value: '1' } + #- { name: 'net.ipv4.tcp_syncookies', value: '1' } # Very standard in 2020 + #- { name: 'kernel.shmmax', value: '268435456' } # OS values differ, Ok? + - { name: 'net.ipv6.conf.all.disable_ipv6', value: '1' } # IPv6 disabled + #- { name: 'net.ipv6.conf.default.disable_ipv6', value: '1' } # AUTO-SET + #- { name: 'net.ipv6.conf.lo.disable_ipv6', value: '1' } # BY ABOVE