Chapter 32. Networking

Network operation persists when ip6mr unregisters an already unregistered device

Previously, the IPv6 multicast routing (ip6mr) code tried to unregister an already unregistered device. As a consequence, a bug was reported in the syslog causing the network operation to stop. With this update, ip6mr no longer unregisters devices that are already marked as unregistered. As a result, no more bugs are reported in syslog, and the network operation persists in the described scenario. (BZ#1445046)

Sending big files through VTI no longer fails

Previously, when sending a big file through Virtual Tunnel Interface (VTI) failed because VTI did not handle Path Maximum Transmission Unit (PMTU). As a consequence, files with greater size than the PMTU size could not be sent. This update adds PMTU handling. As a result, PMTU can be updated in Tx path, and the described problem no longer occurs. (BZ#1467521)

L2TP with IPv6 encapsulation now works in name space

Previously, using Layer 2 Tunneling Protocol (L2TP) with IPv6 encapsulation did not support name space. As a consequence, L2TP could not be used in name space. With this update, L2TP with IPv6 encapsulation is now aware of name space, and the described problem no longer occurs. (BZ#1465711)

Flushing ARP entries no longer fails

Previously, trying to flush an incomplete or failed Address Resolution Protocol (ARP) entry had no effect. As a consequence, the incomplete ARP entry remained there, and in some cases caused problems for debugging systems or networks. This update allows for the removal of an incomplete or failed ARP entry. As a result, users can now get an ARP table as expected. (BZ#1383691, BZ#1469945)

Using cls_matchall with classful queue disciplines no longer causes the kernel to crash

Previously, the matchall classifier (cls_matchall) did not assign the classic option to a packet. As a consequence, the kernel terminated unexpectedly when trying to use cls_matchall with classful queueing disciplines (classful qdiscs), such as Hierarchical Token Bucket (HTB) or Class Based Queueing (CBQ). With this update, when cls_matchall processes classid, classid is assigned to a packet. As a result, cls_matchall with classful qdiscs can now be used successfully and the user-provided value of classid is no longer ignored in the described scenario.
For more details on the kernel actions related to classid, see the OPTIONS section in the tc-matchall (8) man page. (BZ#1460213)

ICMP error packets are no longer lost when a user connects to a closed SCTP port

Previously, when trying to connect to a closed Stream Control Transmission Protocol (SCTP) port, an Internet Control Message Protocol (ICMP) error reply from the server was lost. This occurred only with Network Interface Cards (NICs) that used non-linear buffers to receive data. As a consequence, for a connection to a closed SCTP port, the user was waiting until a timeout instead of getting the connection refused error message from the server immediately. With this update, the received data is handled in a linear way and the ICMP error reply is not lost. As a result, the user receives the corresponding ICMP error in the described situation. (BZ#1450529)

SCTP now selects the right source address

Previously, when using a secondary IPv6 address, Stream Control Transmission Protocol (SCTP) selected the source address based on the best prefix matching with the destination address. As a consequence, in some cases, a packet was sent through an interface with the wrong IPv6 address. With this update, SCTP uses the address that already exists in the routing table for this specific route. As a result, SCTP uses the expected IPv6 address as the source address when secondary addresses are used on a host. (BZ#1460106)

Device reference held by iptables CLUSTERIP target is now properly released on namespace deletion

Previously, the iptables CLUSTERIP target held a direct reference to the network device specified as input device in the associated rule. When that rule inside a namespace was deleted, the corresponding reference was not released. As a consequence, upon namespace deletion, dangling references held by the CLUSTERIP target sometimes prevented deletion of network devices contained in the namespace. For this reason, it was not possible to create a device with the same name and the related memory was not freed. With this update, the CLUSTERIP target rule reference does not hold the related device but its index. As a result, when deleting a namespace, all the rules and references related to this namespace are also cleared properly. (BZ#1472892)

The nftables configuration files are no longer publicly readable

Previously, during installation in the RPM file, the nftables configuration file mode bits were not adjusted accordingly. As a consequence, the configuration templates in the /etc/nftables directory and the etc/sysconfig/nftables.conf main configuration file were publicly readable. With this update, the file mode bits are explicitly set to correct values when installing the configuration files. As a result, the user can now install the configuration files with the correct permissions.
Note that the configuration files which are not modified by the administrator, are replaced with configuration files with the correct permissions.
The modified configuration files are not replaced. In that case, for /etc/sysconfig/nftables.conf, an rpmnew file is created which has the correct permissions. For any files in /etc/nftables, no rpmnew file is created, and the user must manually set the permissions. (BZ#1451404)

The Ready to read events are now correctly sent to an application when SENDER_DRY_EVENTS is enabled

Previously, when enabling the SENDER_DRY_EVENTS notifications or when the Stream Control Transmission Protocol (SCTP) Partial Reliability triggered the removal of a chunk, the SCTP stack flagged an event that it was already generated and sent it to an application. However, the flag was not removed afterwards. As a consequence, the application missed the ready to read event. With this update, the stack does not flag the event in such cases anymore. As a result, the ready to read events are now correctly dispatched to an application. (BZ#1442784)

SCTP statistics now available

Previously, the stream control transmission protocol (SCTP) statistics parser could not handle the /proc/net/sctp/snmp source file. As a consequence, users were not able to see the statistic information. Parsing of the SCTP statistics has been fixed. As a result, the SCTP statistics are now available to users. (BZ#1329338)

The firewalld service daemon no longer hangs in the rmmod process

Previously, some network device drivers, specifically some wi-fi and IP over InfiniBand Network Interface Cards (IPoIB NICs) drivers, held conntrack entries associated with untracked packets for an unlimited amount of time. As a consequence, at removal time, the conntrack kernel module was in a busy loop waiting for these entries to be freed. This led to the rmmod nf_conntrack module consuming 100% of the CPU usage causing firewalld to hang at shutdown time. With this update, the new kernel removes support for the notrack conntrack entries, and conntrack no longer waits for such entries to be freed. As a result, the firewalld shutdown no longer hangs. (BZ#1317099)