Chapter 31. Networking

SNMP response is no longer timed out

Previously, all the Simple Network Management Protocol version 1 (SNMPv1) and SNMPv2c responses that followed an SNMPv3 message were checked against the last recorded SNMPv3 max message size property. As a consequence, an SNMPv3 request with a small max message size could lead to SNMPv1 and SNMPv2c bulk requests timing out. With this update, the session maximum message size is checked only for SNMPv3 requests, and the SNMPv1 and SNMPv2c response is no longer timed out. (BZ#1324306)

ICMP redirects no longer cause kernel to crash

Previously, a socket failed to be locked between user space and the process of Internet Control Message Protocol (ICMP) redirect packets, creating a race condition. As a consequence, kernel terminated unexpectedly. The bug has been fixed by skipping the process of ICMP redirect packets when the socket is locked by user space and now the described problem no longer occurs. (BZ#1387485)

The net.ipv4.ip_nonlocal_bind kernel parameter is set in name spaces

Previously, using a floating IP address inside a network name space in some cases failed with the following error message:
bind: Cannot assign requested address.
With this update, the kernel respects setting of the net.ipv4.ip_nonlocal_bind parameter to 1 in name spaces, and the floating IP address is now assigned as expected. (BZ#1363661)

The netfilter REJECT rule now works on SCTP packets

Previously, the conntrack tool did not check the CRC32c value for Stream Control Transmission Protocol (SCTP) packets. As a consequence, the netfilter REJECT rule was not applied as expected on SCTP packets. The bug has been fixed by setting CHECKSUM_UNNECESSARY on SCTP packets which have valid CRC32c. As a result, the netfilter REJECT is allowed to generate an Internet Control Message Protocol (ICMP) response. (BZ#1353218)

NetworkManager no longer duplicates a connection with already-set DHCP_HOSTNAME

Previously, after a restart of the NetworkManager service, a connection with an already-set DHCP_HOSTNAME property was duplicated. Consequently, a DHCP lease was not always renewed upon its expiry. With this update, the connection is no longer duplicated, and a DHCP lease is correctly renewed in this scenario.
Note that the fix includes ignoring the already-set hostname properties in the matching process. To avoid possible problems, remove all unused connections with an incorrect ipv4.dhcp-hostname. For more information, see (BZ#1393997)

Improved SCTP congestion_window management

Previously, small data chunks caused the Stream Control Transmission Protocol (SCTP) to account the receiver_window (rwnd) values incorrectly when recovering from a zero-window situation. As a consequence, window updates were not sent to the peer, and an artificial growth of rwnd could lead to packet drops. This update properly accounts such small data chunks and ignores the rwnd pressure values when reopening a window. As a result, window updates are now sent, and the announced rwnd reflects better the real state of the receive buffer. (BZ#1084802)

Value of DCTCP alpha now drops to 0 and cwnd remains at values more than 137

Previously, the alpha value of Datacenter TCP (DCTCP) was shifted before subtraction, causing precision loss. As a consequence, the real alpha value did not fall below 15 and uncongested flows eventually dropped to a congestion_window (cwnd) value of 137. This bug has been fixed by canceling the shift operation when alpha is low. As a result, alpha drops to 0 and cwnd remains at values more than 137 for uncongested flows. (BZ#1370638)

ss now displays correctly cwnd

Previously, the ss utility displayed Transmission Control Protocol congestion window (TCP cwnd) values from the kernel, performing a cast from unsigned to signed 32-bit integer. As a consequence, some values can overflow and be interpreted as a negative value. With this update, the ss code has been fixed, and the utility no longer displays negative cwnd values. (BZ#1375215)

Value of cwnd no longer increases using DCTCP

Previously, the congestion_window (cwnd) increased unexpectedly after a packet loss. As a consequence, the Data Center TCP (DCTCP) congestion control module became ineffective in avoiding congestion, because repeated problems on the same flow occurred. With this update, the cwnd value is saved on loss and the old one is restored on recovery. As a result, cwnd remains stable. (BZ#1386923)

Negated range matches have been fixed

Previously, using a range of values in a negated match would never evaluate as true. With this update, such matches work as expected. For example:
# nft add rule ip ip_table filter_chain_input ip length != 100-200 drop
now correctly drops packets smaller than 100 bytes or larger than 200 bytes. (BZ#1418967)

The nmcli connection show command now displays the correct output for both empty and NULL values

Previously, the output of the nmcli connection show command did not display consistently the empty and NULL values among different properties. As a consequence, the empty values were displayed by -- or without a value. With this update, the output of the nmcli connection show command displays -- for both empty and NULL values in normal or pretty modes.
Note that in terse mode, values are printed only in their raw form and the empty and NULL values are not printed at all. (BZ#1391170)

snmpd no longer rejects large packets from AgentX subagents

Previously, the SNMP daemon (snmpd) limited the size of packets sent from AgentX subagents to 1472 bytes. This caused snmpd to refuse large packets from AgentX subagents. The packet size limit has been increased to 65535 bytes. As a result, snmpd no longer rejects large packets from AgentX subagents. (BZ#1286693)

Macvlan can now be unregistered correctly

Previously, attempts to unregister the Macvlan driver failed with broken sysfs links from or to devices in another namespace. With this update, Macvlan has been fixed, thus fixing this bug. (BZ#1412898)