Chapter 11. Networking

i40e and i40evf now fully supported

The i40e and i40evf kernel drivers have been updated to versions 1.3.21-k and 1.3.13. These updated drivers, which were previously included as a Technology Preview, are now fully supported. Note that you need to apply the i40e Driver Update Program (DUP) for Red Hat Enterprise Linux 7.2 available at For more information, see the Knowledgebase article available at
On i40e ports, an attempt to run iSCSI related commands previously led to loss of network connectivity out of i40e ports. This update fixes the bug, and the system now allows for iSCSI commands to proceed.

SNMP now correctly obeys the clientaddr directive over IPv6

Previously, the clientaddr option in snmp.conf only affected outgoing messages sent over IPv4. With this release, the outgoing IPv6 messages are correctly sent from the interface specified by clientaddr.

tcpdump supports -J, -j, and --time-stamp-precision options

As kernel, glibc, and libpcap now provide APIs to obtain nanosecond resolutions time stamps, tcpdump has been updated to leverage this functionality. Users can now query which time stamp sources are available (-J), set a specific time stamp source (-j), and request time stamps with a specified resolution (--time-stamp-precision).

TCP/IP rebase to version 3.18

TCP/IP stack has been upgraded to upstream version 3.18, which provides a number of bug fixes and enhancements over the previous version. Notably, this update fixes TCP fast open extension, which now works as expected when using IPv6. In addition, this update provides support for optional TCP autocorking and implements Data Center TCP (DCTCP).

NetworkManager libreswan rebase to version 1.0.6

A number of bug fixes and enhancements have been incorporated from upstream, for example:
* Password handling is now more robust
* Connection start and stop is now more robust
* Default routing is now autodetected from pushed routes
* Added support for interactive password requests
* Fixed erroneous import and export capability advertisement.

NetworkManager now supports setting the MTU of a bonded interface

Both 'nmcli' and the GUI interface now allow the setting of MTU on a bonded interface.

NetworkManager now validates IPv6 Router Advertisement MTU options before applying them

Malicious or misconfigured nodes could send an IPv6 MTU that would make further network communication problematic or impossible if applied. NetworkManager now gracefully handles these events and maintains IPv6 connectivity.

IPv6 Privacy extensions now enabled by default

To determine and set IPv6 privacy settings at device activation, NetworkManager now checks its network configuration in NetworkManager.conf by default, and falls back to /proc/sys/net/ipv6/conf/default/use_tempaddr if necessary.

The control-center Network Panel now displays WiFi device capabilities

Supported operating frequencies of WiFi devices are now displayed in the control-center network panel.

NetworkManager now gracefully handles route conflicts when multiple interfaces point to the same gateway

NetworkManager now keeps track of configured routes and avoids attempts to set conflicting routes. When a conflicting route is no longer active, it is removed.

Fix for network blackout with multihomed connections

NetworkManager now avoids a network blackout when activating the second device in a multihomed connection.

New option to prevent NetworkManager from overriding ip route add

The new 'never-default' option has been added to the connection IP configuration. This option prevents NetworkManager from setting the default route itself, allowing the administrator to set different default routes as required.

Fix for legacy network.service errors when Carrier Down is detected on some hardware

When a device has no carrier during boot, NetworkManager will wait for the carrier to be detected instead of causing activation to fail immediately.

NetworkManager now supports Wake On Lan

The nmcli utility now allows Wake on Lan to be set on a per device basis.

Improved support for firewalld zones with VPN connections

When a firewall zone is configured for a device-based VPN connection, the zone is now correctly configured in firewalld.

Fair Queue packet scheduler now supported

The Fair Queue packet scheduler, known as fq, has been added to Red Hat Enterprise Linux 7.2 and can be selected using the tc (traffic controller) utility.

Added support for transmit coalescing

The xmit_more extension has been implemented, improving transmit performance of virtio-net and other drivers, especially when TSO (TCP Segmentation Offload) is disabled.

Improved network frame receiving performance

By refactoring the code to eliminate IRQ save and restore operations in NAPI memory allocation, latency when receiving network frames has been reduced.

Significantly improved performance of route lookups

The IPv4 FIB (Forward Information Base) code has been updated from upstream to improve performance.

Network Namespace support for Virtual Interfaces

The netns id is now supported on virtual interfaces, allowing reliable tracking of linked network interfaces across network namespace boundaries.

Docker and LXC containers can now read net.ipv4.ip_local_port_range

Network name space support for the net.ipv4.ip_local_port_range sysctl has been added, improving container support for software that requires access to this information.

Improved reporting of autoconfigured IPv6 routes by the 'ip' tool

The ip tool could not get the mtu or hoplimit information from a Route Advertisement, this has been fixed.

Dual-stack socket options are now correctly exported

AF_INET6 sockets are only exclusive to IPv6 when IPV6_V6ONLY is set. In all other cases the socket is also IPv4 capable. This information is now properly exported and can be interrogated using iproute2.

Data Center TCP Now Supported

This release includes an implementation of DCTCP to improve network performance in Data Center environments. the parameter dctcp can be set either in sysctl or on a per route basis with ip route.

Per Route Congestion Control

To enable different congestion control algorithms on a per route basis, the congctl parameter has been added to ip route.

Improved Congestion Window handling for TCP Cubic and Reno when using GRO

The method to determine bandwidth and congestion window sizing has been improved, reducing the number of ACK packets required for transmission of large volumes of data.

TCP Pacing is now supported

The parameter SO_MAX_PACING_RATE has been added. This enables greater control of throughput rate for environment where this is a consideration.

Support for both client and server TFO

The TCP Fast Open feature has been added, using the RFC 7413 assigned option number.

Mitigation of TCP ACK loops

Handling of duplicated TCP ACKs has been improved, preventing some problems with buggy or potentially malicious middleboxes.

Minimal support for secondary endpoints with nf_conntrack_proto_sctp

Basic multihoming support has been added to SCTP.

AF_UNIX implementation rebased

The AF_UNIX (sometimes called AF_LOCAL) code has been updated to include many fixes and enhancements. In particular, sendpage and splice (also known as zerocopy) are now supported.

Kernel tunneling support rebased to upstream

The kernel tunneling drivers have been updated from kernel 4, bringing in many fixes and enhancements, especially for VXLAN.

Added support for crossing network namespaces to GRE

Both gre and ip6gre now have support for x-netns.

Improved performance when running Virtual Machine Traffic over VXLAN

The transmit flow hashing code has been updated, resulting in improved performance when traffic originating from a virtual machine is directed into a tunnel.

Improved offloading for VLAN frames received in a VXLAN or from GRE tunnels

A number of changes have been introduced to enable GRO support and improve performance under VXLAN and NVGRE tunneling.

Improved performance of Open vSwitch tunneling

The tx-nocache-copy device feature is now disabled by default. The previous default created a significant overhead for many workloads and particularly for OVS tunnels running over a VXLAN.

Improved IPsec Handling

IPsec has been updated to provide many fixes and some enhancements. Of particular note is that this release now provides the ability to match on outgoing interfaces.

Inclusion of VTI6 support including netns capabilities

Virtual Tunnel Interfaces for IPv6, including netns capabilities, have been added to the kernel.

Default value of nf_conntrack_buckets increased

If not specified as parameter during module loading, the default number of buckets is calculated through dividing total memory by 16384 to determine the number of buckets. The hash table will never have fewer than 32 and is limited to 16384 buckets. For systems with more than 4GB of memory however, this limit will be 65536 buckets.

Improvements in memory usage for iptables on large SMP machines

Previously, large iptables rulesets could use significant amounts of memory unnecessarily, this was due to storing the ruleset on a per (possible) CPU basis. The memory overhead has been reduced by changing the way rulesets are stored.

Network bonding driver updated

To improve maintainability, the kernel network bonding driver has been updated to bring it in line with upstream source.

Kernel netlink interfaces for bonding and 802.3ad (LACP)

Additional netlink interfaces for reading and setting bonding parameters on LACP devices have been added to the kernel.

Improvements in performance for mactap and macvtap with VLANs

Several low throughput issues involving segmentation problems have been addressed:
* Communicating with e1000 devices to virtio devices over mactap.
* Communicating with an external host when using VLANs in the guest.
* Communicating with the KVM host over a VLAN in both the guest and host.

Improved ethtool network querying

The network-querying capabilities of the ethtool utility were enhanced in a Technology Preview for Red Hat Enterprise Linux 7.1 on IBM System z and are fully supported as of Red Hat Enterprise Linux 7.2. As a result, when using hardware compatible with the improved querying, ethtool provides improved monitoring options, and displays network card settings and values more accurately.