Chapter 10. Networking
Trusted Network Connect
Red Hat Enterprise Linux 7.1 introduces the Trusted Network Connect functionality as a Technology Preview. Trusted Network Connect is used with existing network access control (NAC) solutions, such as TLS, 802.1X, or IPsec to integrate endpoint posture assessment; that is, collecting an endpoint's system information (such as operating system configuration settings, installed packages, and others, termed as integrity measurements). Trusted Network Connect is used to verify these measurements against network access policies before allowing the endpoint to access the network.
SR-IOV Functionality in the qlcnic Driver
Support for Single-Root I/O virtualization (SR-IOV) has been added to the
qlcnic driver as a Technology Preview. Support for this functionality will be provided directly by QLogic, and customers are encouraged to provide feedback to QLogic and Red Hat. Other functionality in the qlcnic driver remains fully supported.
Berkeley Packet Filter
Support for a Berkeley Packet Filter (BPF) based traffic classifier has been added to Red Hat Enterprise Linux 7.1. BPF is used in packet filtering for packet sockets, for sand-boxing in secure computing mode (seccomp), and in Netfilter. BPF has a just-in-time implementation for the most important architectures and has a rich syntax for building filters.
Improved Clock Stability
Previously, test results indicated that disabling the tickless kernel capability could significantly improve the stability of the system clock. The kernel tickless mode can be disabled by adding
nohz=off to the kernel boot option parameters. However, recent improvements applied to the kernel in Red Hat Enterprise Linux 7.1 have greatly improved the stability of the system clock and the difference in stability of the clock with and without
nohz=off should be much smaller now for most users. This is useful for time synchronization applications using
The libnetfilter_queue package has been added to Red Hat Enterprise Linux 7.1.
libnetfilter_queue is a user space library providing an API to packets that have been queued by the kernel packet filter. It enables receiving queued packets from the kernel
nfnetlink_queue subsystem, parsing of the packets, rewriting packet headers, and re-injecting altered packets.
The libteam packages have been updated to version
1.15 in Red Hat Enterprise Linux 7.1. It provides a number of bug fixes and enhancements, in particular,
teamd can now be automatically re-spawned by
systemd, which increases overall reliability.
Intel QuickAssist Technology Driver
Intel QuickAssist Technology (QAT) driver has been added to Red Hat Enterprise Linux 7.1. The QAT driver enables QuickAssist hardware which adds hardware offload crypto capabilities to a system.
LinuxPTP timemaster Support for Failover between PTP and NTP
The linuxptp package has been updated to version
1.4 in Red Hat Enterprise Linux 7.1. It provides a number of bug fixes and enhancements, in particular, support for failover between
PTP domains and
NTP sources using the timemaster application. When there are multiple
PTP domains available on the network, or fallback to
NTP is needed, the timemaster program can be used to synchronize the system clock to all available time sources.
Support for custom VLAN names has been added in Red Hat Enterprise Linux 7.1. Improved support for
IPv6 in GRE tunnels has been added; the inner address now persists across reboots.
TCP Delayed ACK
Support for a configurable TCP Delayed ACK has been added to the iproute package in Red Hat Enterprise Linux 7.1. This can be enabled by the
ip route quickack command.
NetworkManager has been updated to version
1.0 in Red Hat Enterprise Linux 7.1.
The support for Wi-Fi, Bluetooth, wireless wide area network (WWAN), ADSL, and
team has been split into separate subpackages to allow for smaller installations.
To support smaller environments, this update introduces an optional built-in Dynamic Host Configuration Protocol (DHCP) client that uses less memory.
A new NetworkManager mode for static networking configurations that starts NetworkManager, configures interfaces and then quits, has been added.
NetworkManager provides better cooperation with non-NetworkManager managed devices, specifically by no longer setting the IFF_UP flag on these devices. In addition, NetworkManager is aware of connections created outside of itself and is able to save these to be used within NetworkManager if desired.
In Red Hat Enterprise Linux 7.1, NetworkManager assigns a default route for each interface allowed to have one. The metric of each default route is adjusted to select the global default interface, and this metric may be customized to prefer certain interfaces over others. Default routes added by other programs are not modified by NetworkManager.
Improvements have been made to NetworkManager's IPv6 configuration, allowing it to respect IPv6 router advertisement MTUs and keeping manually configured static IPv6 addresses even if automatic configuration fails. In addition, WWAN connections now support IPv6 if the modem and provider support it.
Various improvements to dispatcher scripts have been made, including support for a pre-up and pre-down script.
lacp_rate is now supported in Red Hat Enterprise Linux 7.1. NetworkManager has been enhanced to provide easy device renaming when renaming master interfaces with slave interfaces.
A priority setting has been added to the auto-connect function of NetworkManager. Now, if more than one eligible candidate is available for auto-connect, NetworkManager selects the connection with the highest priority. If all available connections have equal priority values, NetworkManager uses the default behavior and selects the last active connection.
This update also introduces numerous improvements to the
nmcli command-line utility, including the ability to provide passwords when connecting to Wi-Fi or 802.1X networks.
Network Namespaces and VTI
Support for virtual tunnel interfaces (VTI) with network namespaces has been added in Red Hat Enterprise Linux 7.1. This enables traffic from a VTI to be passed between different namespaces when packets are encapsulated or de-encapsulated.
Alternative Configuration Storage for the MemberOf Plug-In
The configuration of the
MemberOf plug-in for the Red Hat Directory Server can now be stored in a suffix mapped to a back-end database. This allows the
MemberOf plug-in configuration to be replicated, which makes it easier for the user to maintain a consistent
MemberOf plug-in configuration in a replicated environment.