Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 32. Networking
Network operation persists when ip6mr
unregisters an already unregistered device
Previously, the
IPv6 multicast routing (ip6mr)
code tried to unregister an already unregistered device. As a consequence, a bug was reported in the syslog
causing the network operation to stop. With this update, ip6mr
no longer unregisters devices that are already marked as unregistered. As a result, no more bugs are reported in syslog
, and the network operation persists in the described scenario. (BZ#1445046)
Sending big files through VTI
no longer fails
Previously, when sending a big file through
Virtual Tunnel Interface (VTI)
failed because VTI
did not handle Path Maximum Transmission Unit (PMTU)
. As a consequence, files with greater size than the PMTU
size could not be sent. This update adds PMTU
handling. As a result, PMTU
can be updated in Tx path, and the described problem no longer occurs. (BZ#1467521)
L2TP
with IPv6
encapsulation now works in name space
Previously, using
Layer 2 Tunneling Protocol (L2TP)
with IPv6
encapsulation did not support name space. As a consequence, L2TP
could not be used in name space. With this update, L2TP
with IPv6
encapsulation is now aware of name space, and the described problem no longer occurs. (BZ#1465711)
Flushing ARP
entries no longer fails
Previously, trying to flush an incomplete or failed
Address Resolution Protocol (ARP)
entry had no effect. As a consequence, the incomplete ARP
entry remained there, and in some cases caused problems for debugging systems or networks. This update allows for the removal of an incomplete or failed ARP
entry. As a result, users can now get an ARP
table as expected. (BZ#1383691, BZ#1469945)
Using cls_matchall
with classful queue disciplines no longer causes the kernel to crash
Previously, the matchall classifier
(cls_matchall)
did not assign the classic
option to a packet. As a consequence, the kernel terminated unexpectedly when trying to use cls_matchall
with classful queueing disciplines (classful qdiscs)
, such as Hierarchical Token Bucket (HTB) or Class Based Queueing (CBQ). With this update, when cls_matchall
processes classid
, classid
is assigned to a packet. As a result, cls_matchall
with classful qdiscs
can now be used successfully and the user-provided value of classid
is no longer ignored in the described scenario.
For more details on the kernel actions related to
classid
, see the OPTIONS
section in the tc-matchall (8)
man page. (BZ#1460213)
ICMP
error packets are no longer lost when a user connects to a closed SCTP port
Previously, when trying to connect to a closed Stream Control Transmission Protocol (SCTP) port, an
Internet Control Message Protocol (ICMP)
error reply from the server was lost. This occurred only with Network Interface Cards (NICs)
that used non-linear buffers to receive data. As a consequence, for a connection to a closed SCTP port, the user was waiting until a timeout instead of getting the connection refused
error message from the server immediately. With this update, the received data is handled in a linear way and the ICMP
error reply is not lost. As a result, the user receives the corresponding ICMP
error in the described situation. (BZ#1450529)
SCTP now selects the right source address
Previously, when using a secondary IPv6 address, Stream Control Transmission Protocol (SCTP) selected the source address based on the best prefix matching with the destination address. As a consequence, in some cases, a packet was sent through an interface with the wrong IPv6 address. With this update, SCTP uses the address that already exists in the routing table for this specific route. As a result, SCTP uses the expected IPv6 address as the source address when secondary addresses are used on a host. (BZ#1460106)
Device reference held by iptables CLUSTERIP
target is now properly released on namespace deletion
Previously, the
iptables CLUSTERIP
target held a direct reference to the network device specified as input device in the associated rule. When that rule inside a namespace was deleted, the corresponding reference was not released. As a consequence, upon namespace deletion, dangling references held by the CLUSTERIP
target sometimes prevented deletion of network devices contained in the namespace. For this reason, it was not possible to create a device with the same name and the related memory was not freed. With this update, the CLUSTERIP
target rule reference does not hold the related device but its index. As a result, when deleting a namespace, all the rules and references related to this namespace are also cleared properly. (BZ#1472892)
The nftables
configuration files are no longer publicly readable
Previously, during installation in the
RPM
file, the nftables
configuration file mode bits were not adjusted accordingly. As a consequence, the configuration templates in the /etc/nftables
directory and the etc/sysconfig/nftables.conf
main configuration file were publicly readable. With this update, the file mode bits are explicitly set to correct values when installing the configuration files. As a result, the user can now install the configuration files with the correct permissions.
Note that the configuration files which are not modified by the administrator, are replaced with configuration files with the correct permissions.
The modified configuration files are not replaced. In that case, for
/etc/sysconfig/nftables.conf
, an rpmnew file is created which has the correct permissions. For any files in /etc/nftables
, no rpmnew file is created, and the user must manually set the permissions. (BZ#1451404)
The Ready to read
events are now correctly sent to an application when SENDER_DRY_EVENTS
is enabled
Previously, when enabling the
SENDER_DRY_EVENTS
notifications or when the Stream Control Transmission Protocol (SCTP) Partial Reliability triggered the removal of a chunk, the SCTP stack flagged an event that it was already generated and sent it to an application. However, the flag was not removed afterwards. As a consequence, the application missed the ready to read
event. With this update, the stack does not flag the event in such cases anymore. As a result, the ready to read
events are now correctly dispatched to an application. (BZ#1442784)
SCTP statistics now available
Previously, the stream control transmission protocol (SCTP) statistics parser could not handle the
/proc/net/sctp/snmp
source file. As a consequence, users were not able to see the statistic information. Parsing of the SCTP statistics has been fixed. As a result, the SCTP statistics are now available to users. (BZ#1329338)
The firewalld
service daemon no longer hangs in the rmmod
process
Previously, some network device drivers, specifically some
wi-fi
and IP over InfiniBand Network Interface Cards (IPoIB NICs)
drivers, held conntrack
entries associated with untracked packets for an unlimited amount of time. As a consequence, at removal time, the conntrack
kernel module was in a busy loop waiting for these entries to be freed. This led to the rmmod nf_conntrack
module consuming 100% of the CPU usage causing firewalld
to hang at shutdown time. With this update, the new kernel removes support for the notrack conntrack
entries, and conntrack
no longer waits for such entries to be freed. As a result, the firewalld
shutdown no longer hangs. (BZ#1317099)