Chapter 14. Networking

NetworkManager rebased to version 1.8

The NetworkManager package has been upgraded to upstream version 1.8, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Support for additional route options has been added.
  • Managed state of device until reboot has been persisted.
  • Devices that are externally managed are now correctly handled.
  • Networked reliability on multihomed hosts has been enhanced.
  • Hostname management is now more flexibly configured.
  • Support for changing and enforcing 802-3 link properties has been added. (BZ#1414103)

NetworkManager now supports additional features for routes

With this update, NetworkManager can set some advanced options: source_address (src, IPv4 only), from, type_of_service (tos), window, maximum_transmission_unit (mtu), congestion_window (cwnd), initial_congestion_window (initcwnd), and initial_receiver_window (initrwnd) for static IPv4 and IPv6 routes of connections. (BZ#1373698)

NetworkManager now better handles devices state

With this update, NetworkManager now maintains the state of devices after the service restart and takes over interfaces which are set into managed mode during restart. In addition, NetworkManager can handle devices which are not explicitly set as unmanaged but controlled manually by the user or another network service. (BZ#1394579)

NetworkManager now supports MACsec (IEEE 802.1AE)

This update adds support for configuring Media Access Control Security (MACsec) encryption into NetworkManager. (BZ#1337997)

NetworkManager now supports changing and enforcing 802-3 link properties

Previously, NetworkManager only exposed 802-3 link properties : 802-3-ethernet.speed, 802-3 ethernet.duplex, and 802-3-ethernet.auto-negotiate. With this update, it is possible to change and enforce them. You can either do this automatically using auto-negotiate=yes, or manually using auto-negotiate=no, speed=<Mbit/s>, duplex=[half,full].
Note that if auto-negotiate=no and either speed or duplex are not set, then the link negotiation is skipped and the auto-negotiate=no, speed=0, duplex=NULL default values are preserved.
Note also that the auto-negotiate default value has been changed from yes to no to preserve backward compatibility. Previously, the property was ignored, but now an auto-negotiate value of yes can enforce link negotiation. Setting it to no with speed and/or duplex unset means that link negotiation is ignored. (BZ#1353612)

NetworkManager now supports ordering bond slaves based on device names

Previously, the existing order of activation for slave connections could cause problems determining the MAC address of the master interface. This update adds more predictable ordering based on device names. You can enable the new ordering using the slaves-order=name setting in NetworkManager configuration.
Note that the new ordering is disabled by default and must be explicitly enabled. (BZ#1420708)

NetworkManager now supports VFs for SR-IOV devices

With this update, the NetworkManager system service supports creating virtual functions (VFs) for Single Root I/O Virtualization (SR-IOV) PCI devices. The number of VFs can be specified using the sriov-num-vfs option in the device section of the NetworkManager configuration file. After VFs are created, NetworkManager can activate connection profiles on them.
Note that some properties of a VF interface, such as the Maximum Transmission Unit (MTU), can only be set to values compatible with those that are set on the physical interface. (BZ#1398934)

Kernel GRE rebased to version 4.8

Kernel Generic Routing Encapsulation (GRE) tunneling has been updated to upstream version 4.8, which provides a number of bug fixes and enhancements over the previous version. The most notable changes include:
  • Code merge for transmit and receive paths for IPv4 GRE and IPv6 GRE
  • Enhancements that allow link layer address changes without bringing the gre (IPv4 GRE) or ip6gre (IPv6 GRE) device down
  • Support for various offloads such as checksum, scatter-gather, highdma, gso, or gro, for IPv6 GRE traffic
  • Automatic kernel module loading when adding ip6gretap devices
  • Miscellaneous tunneling fixes (such as error handling, MTU calculation, path MTU discovery) up to Linux kernel version 4.8 that affect GRE tunnels (BZ#1369158)

dnsmasq rebased to version 2.76

The dnsmasq packages have been upgraded to version 2.76, which provides a number of bug fixes and enhancements. Notable changes include the following:
  • The dhcp_release6 utility is now supported.
  • The ra-param option has been added.
  • Support for the RFC-4242 information-refresh-time options in the reply to the DHCPv6 information request has been added.
  • The ra-advrouter mode for RFC-3775-compliant mobile IPv6 support has been added.
  • The script-arp script has been added and two new functions for the dhcp-script script have been included.
  • It is now possible to use random addresses for DHCPv6 temporary address allocations, instead of algorithmically determined stable addresses.
  • New optional DNS Security Extensions (DNSSEC) support has been disabled.
  • dnsmasq can change the default values of IPv6 Router Advertisement. As a result, the ra-param option is used to change the default priorities and time intervals of routes advertised by dnsmasq. See the dnsmasq(1) man page for more information. (BZ#1375527, BZ#1398337)

BIND changes the way it handles URI resource records, impacting also URI backward compatibility

With this update, the BIND suite no longer adds an additional length byte to a value field when using a URI resource record. This also means that BIND in Red Hat Enterprise Linux (RHEL) 7.4 communicates only in the format described in RFC 7553: https://tools.ietf.org/html/rfc7553.
Note that this update makes new URI records incompatible with records created using BIND in previous versions of RHEL. Namely, BIND in RHEL 7.4 cannot:
  • Understand URI records provided by previous versions of BIND in RHEL.
  • Serve URI records to clients using previous versions of BIND in RHEL.
However, BIND in RHEL 7.4 still can:
  • Cache and receive records from both earlier and future versions of BIND in RHEL.
  • Serve records in the old URI format encoded as Unknown DNS Resource Record. See RFC 3597 for details: https://tools.ietf.org/html/rfc3597.
After this update, you do not need to make any change to the DNS zone files. (BZ#1388534)

A DHCP client hook example added for DDNS for Microsoft Azure cloud

An example of the DHCP client hook for Dynamic DNS (DDNS) for Microsoft Azure cloud has been added to the dhclient package. The administrator can now easily enable this hook, and register Red Hat Enterprise Linux clients with a DDNS server. (BZ#1374119)

dhcp_release6 now releases IPv6 addresses

With this update, the dhcp_release6 utility can release Dynamic Host Configuration Protocol version 6 (DHCPv6) leases for IPv6 addresses on the local dnsmasq server. See the dhcp_release6(1) man page for more information about the dhcp_release6 command. (BZ#1375569)

Sendmail now supports ECDHE

This update adds the Elliptic Curve Diffie-Hellman Ephemeral Keys (ECDHE) support to Red Hat Enterprise Linux 7 Sendmail. ECDHE is a variant of the Diffie-Hellman protocol that uses elliptic curve cryptography. It is an anonymous key agreement protocol that allows two parties to establish a shared secret over an insecure channel. (BZ#1124827)

telnet now supports the -6 option

With this update, the telnet utility supports the -6 option to test IPv6 connections. (BZ#1367415)

Adjustable TTL limit for caching negative DNS responses in Unbound

This update adds the cache-max-negative-ttl configuration option for the Unbound service, which enables adjustment of the maximum TTL specifically for caching negative DNS responses. Previously, this limit was determined by the domain SOA record, or it was automatically the same as the maximum TTL limit for caching all DNS responses, if configured.
Note that if Unbound is determining the TTL for DNS response caching, the value set for the cache-min-ttl option has precedence over the value specified by cache-max-negative-ttl. (BZ#1382383)

The scalability of UDP sockets has been improved

This update improves UDP forward memory accounting and reduces the lock contention of UDP sockets. As a result, the overall ingress throughput of UDP sockets receiving traffic from multiple peers is considerably increased without any outward functional changes. (BZ#1388467)

IP now supports IP_BIND_ADDRESS_NO_PORT in the kernel

This update adds the IP_BIND_ADDRESS_NO_PORT socket option to the kernel. This allows the kernel to skip L4 tuple reservation when a bind() request is used to a port number of 0. As a result, many simultaneous connections to different destination hosts can be maintained. (BZ#1374498)

IPVS Source Hash scheduling now supports L4 hashing and SH fallback

With this update, the IP Virtual Server (IPVS) Source Hash scheduling algorithm includes:
  • L4 hashing
  • SH fallback of requests to the next active server in case the destination server has a weight of 0, which indicates that the destination server is inactive.
As a result, it is now possible to balance the load of requests from one source IP address based on port numbers. Requests to inactive servers no longer time out. (BZ#1365002)

iproute now supports changing bridge port options

With this update, changing bridge port options such as state, priority, and cost have been added to the iproute package. As a result, iproute can be used as an alternative to the bridge-utils package. (BZ#1373971)

New options of Sockets API Extensions for SCTP (RFC 6458) implemented

This update implements options SCTP_SNDINFO, SCTP_NXTINFO, SCTP_NXTINFO and SCTP_DEFAULT_SNDINFO to the Sockets API Extensions for the Stream Control Transmission Protocol (RFC 6458).
These new options replace the options SCTP_SNDRCV, SCTP_EXTRCV and SCTP_DEFAULT_SEND_PARAM, which are now deprecated. See also the deprecated functionality section. (BZ#1339791)

ss now supports SCTP sockets list

Previously, the netstat utility provided a list of Stream Control Transmission Protocol (SCTP) sockets. With this update, the ss utility is able to display the same list. (BZ#1063934)

wpa_supplicant rebased to version 2.6

The wpa_supplicant packages have been upgraded to upstream version 2.6, which provides a number of bug fixes and enhancements. Notably, the wpa_supplicant utility now supports the Media Access Control Security (MACsec) encryption 802.1AE, which enables MACsec to be used in configuration by default. (BZ#1404793, BZ#1338005)

Linux kernel now contains the switchdev infrastructure and mlxsw

This update backports the following functionality into the Linux kernel:
  • The Ethernet switch device driver model - the switchdev infrastructure; as a result, switch devices can now offload forwarding data plane from the kernel
  • The mlxsw driver
Switch hardware supported by mlxsw :
  • Mellanox SwitchX-2 (slow path only)
  • Mellanox SwitchIB and SwitchIB-2
  • Mellanox Spectrum
Features supported by mlxsw :
  • Per port jumbo frames, speed setting, state setting, statistics
  • Port splitting together with splitter cables
  • Port mirroring
  • QoS: 802.1p, Data Center Bridging (DCB)
  • Access Control Lists (ACLs) using TC flower offloading have been introduced as a Technology Preview
Layer 2 features:
  • VLANs
  • Spanning Tree Protocol (STP)
  • Link Aggregation (LAG) using team or bonding offloading
  • Link Layer Discovery Protocol (LLDP)
Layer 3 features:
  • Unicast routing
To configure all these features, use standard tools provided by the iproute package that has been updated as well. (BZ#1297841, BZ#1275772, BZ#1414400, BZ#1434587, BZ#1434591)

The Linux bridge code rebased to version 4.9

The Linux bridge code has been upgraded to upstream version 4.9, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Support for 802.1ad VLAN filtering and Tx VLAN acceleration
  • Support for 802.11 Proxy Address Resolution Protocol (ARP)
  • Support for switching offloading by using switchdev
  • VLAN support for user mdb entries
  • Support for extended attributes in mdb entries
  • Support for temporary port router
  • Support for per-VLAN statistics
  • Support for Internet Group Management Protocol/Multicast Listener Discovery (IGMP/MLD) statistics
  • All configuration settings supported by using sysfs are now supported by netlink as well
  • Added per-port flag to control the unknown multicast flood (BZ#1352289)

bind-dyndb-ldap rebased to version 11.1

The bind-dyndb-ldap package has been upgraded to upstream version 11.1, which provides a number of bug fixes and enhancements over the previous version.
Notably, the /etc/named.conf file now uses the new DynDB API. Updating the bind-dyndb-ldap package automatically converts the file to the new API style. (BZ#1393889)

DynDB API from the upstream version 9.11.0 of BIND added to Red Hat Enterprise Linux

This update backports the API for the dyndb system plug-in, which was introduced in the bind package version 9.11.0 in upstream. As a result, the bind-dyndb-ldap plug-in in Red Hat Enterprise Linux now uses the new API. The downstream feature dynamic_db, which was used in previous releases of Red Hat Enterprise Linux, is no longer supported.
Because the upstream dyndb uses a different configuration syntax than the downstream dynamic_db, the syntax also changes with this update. However, you do not need to make any manual configuration changes. (BZ#1393886)

tboot rebased to version 1.9.5

The tboot packages have been upgraded to upstream version 1.9.5, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • This update adds the 2nd generation of the Link Control Protocol (LCP) creation utility for Trusted Platform Module (TPM) 2.0, as well as a user guide for the updated LCP creation utility.
  • A workaround has been implemented to ensure the correct behavior of Intel Platform Trust Technology (PTT) and the Linux PTT driver.
  • New fields have been added in the Linux kernel header struct declaration, in order to accommodate for new capabilities of the Linux kernel. (BZ#1384210)

Packages related to rdma consolidated by rebase into rdma-core version 13

The packages related to the rdma package have been upgraded and consolidated into a single source package, rdma-core version 13. The packages are:
  • rdma
  • iwpmd
  • libibverbs
  • librdmacm
  • ibacm
  • libibumad
  • libocrdma
  • libmlx4
  • libmlx5
  • libhfi1verbs
  • libi40iw
  • srp_daemon (formerly srptools)
  • libmthca
  • libcxgb3
  • libcxgb4
  • libnes
  • libipathverbs
  • librxe
  • rdma-ndd
The following, previously not included, packages have been added as part of the new package rdma-core:
  • libqedr
  • libhns
  • libvmw_pvrdma
All ibverbs hardware-specific provider libraries are now bundled in the libibverbs sub-package, streamlining installation and preventing possible versioning mismatches. (BZ#1404035)

OVN IP address management support added for static MAC addresses

This update adds support for dynamic IP address assignment with user-specified static MAC addresses. As a result, Open Virtual Network (OVN) users can now create configurations with dynamic IP that are associated with static MAC addresses. (BZ#1368043)

Enhanced networked reliability on multihomed hosts

On interfaces with a route that is already present on another interface, the NetworkManager utility now automatically switches the reverse path filtering method from Strict to Loose. This enhances network reliability on multihomed host machines. (BZ#1394344)

Offloading of GENEVE, VXLAN, and GRE tunnels is now supported

With this update, the infrastructure to support offloading of GENEVE, VXLAN, and GRE tunnels has been added. In addition, various bugs have been fixed in the GENEVE tunnel implementation. (BZ#1326309)

LCO for tunnel traffic is now supported

With this update, the Local Checksum Offloading (LCO) technique has been added to enable certain network cards to utilize checksum offloading for tunnel traffic. This enhancement improves the performance of VXLAN, GRE, and other tunnels. (BZ#1326318)

Improved tunnel performance on NICs

With this update, tunnel performance on some Network Interface Cards (NICs) that do not support tunnel offloads by default has been enhanced. As a result, users can now take advantage of existing hardware offloads on these NICs. (BZ#1326353)

NPT is now supported in the kernel

With this update, the IPv6-to-IPv6 Network Prefix Translation (NPTv6) function defined in RFC 6296 has been added in the Netfilter framework. As a result, it is now possible to enable NPT for stateless translation between IPv6 prefixes. (BZ#1432897)

DNS configuration is now supported through the D-Bus API

Previously, external applications could not easily retrieve the DNS parameters used by NetworkManager. With this update, DNS configuration has been supported through the D-Bus API. As a result, all DNS-related information, including name servers and domains, is available to client applications through the D-Bus API of NetworkManager. An example of such application is the nmcli tool, which can now display DNS configuration. (BZ#1404594)

PPP support is now moved into a separate package

With this update, the Point-to-Point Protocol (PPP) support is moved into a separate, optional NetworkManager-ppp package. As a result, the dependency chain of NetworkManager is smaller and it is possible to limit the number of installed packages.
Note that to configure PPP settings, you must make sure that the NetworkManager-ppp package is installed. (BZ#1404598)

The tc utility now supports flower

The tc utility has been enhanced to use the kernel flower traffic control classifier. With this update, a user can add, modify, or delete flower classifier rules from an interface. (BZ#1422629)

Fix to the CRC32c value computation in SCTP forwarding path

Previously, the kernel incorrectly computed the CRC32c value of Stream Control Transmission Protocol (SCTP) packets with offloaded checksum when the kernel forwarded them to an interface that did not support offloading. This update fixes the computation of CRC32c in the forwarding path. As a result, SCTP packets are now correctly transmitted in the described situation. (BZ#1072503)

New packages: iperf3

This update adds the iperf3 packages version 3.1.7 to Red Hat Enterprise Linux 7. The iperf3 utility enables active measuring of the maximum achievable bandwidth on IP networks. (BZ#913329)

Installation of OVN now supports easily-configurable firewalld rules

This feature adds firewalld configuration rules for Open Virtual Network (OVN) to the openvswitch packages. As a result, the user can install easier OVN with firewalld enabled, instead of needing to create firewalld configuration manually. (BZ#1390938)

netlink now supports bridge master attributes

With this update, whenever bridge attributes are changed, a notification is sent out to listeners. This includes changes triggered by sysfs, rtnl, ioctl, or user applications, such as NetworkManager. (BZ#950243)