Chapter 13. Networking

Error handling in the output of the dhcp-script has been improved

Previously, any error in the output of the dhcp-script was ignored. With this update the output of the script is logged on the add, old, del, arp-add, arp-del, tftp actions. As a result, errors are displayed while dnsmasq is running.
Note that the lease-init action happens only at a start of Dnsmasq. With this update, only a summary of the output is logged and not the standard error output, which passes to the systemd service for logging. (BZ#1188259)

Network namespace isolation has been added to ipset

Previously, ipset entries were visible and could be modified by any network namespace. This update provides ipset with isolation per network namespace. As a result, ipset configuration is separated for each namespace. (BZ#1226051)

NetworkManager now supports multiple routing tables to enable source routing

This update adds a new table attribute for IPv4 and IPv6 routes which can be configured manually by the user. For each manual static route, a routing table can be selected. As a result, configuring the table of a route has the effect of configuring the route in that table. Additionally, the default routing table of a connection profile can be configured via the new ipv4.route-table and ipv6.route-table settings for IPv4 and IPv6 respectively. These settings determine in which table the routes are placed, except manual routes that explicitly overwrite this setting. (BZ#1436531)

nftables rebased to version 0.8

The nftables packages have been upgraded to version 0.8, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • New expressions: fib, numgen, quota, rt, notrack have been added.
  • Support hashing of any arbitrary key combination has been added.
  • Support to set non-byte bound packet header fields, including checksum adjustment has been added.
  • Variable reference for set element definitions and variable definitions from element commands can now be used.
  • Support to flush set has been added.
  • Support for logging flags has been added.
  • Support for tc classid parser has been added.
  • Endianness problems with link layer address have been solved.
  • Parser to keep map flag around on definition has been fixed.
  • The time datatype now uses milliseconds, as the kernel expects. (BZ#1472261)

Persistent DHCP client behavior added to NetworkManager

With this update, the ipv4.dhcp-timeout property can be set to either the maximum for a 32-bit integer (MAXINT32) value or to the infinity value. As a result, NetworkManager never stops trying to get or renew a lease from a DHCP server until it is successful. (BZ#1350830)

NetworkManager exposes new properties to expose team options

Previously, NetworkManager applied team configuration to connections providing a JSON string to the config property, which was the only property available in the team setting. This update adds new properties in NetworkManager matching one to one the team configuration options. As a result, the configuration may be provided either through a unique JSON string in the NetworkManager config property or assigning values to the new team properties. Any configuration change applied in config is reflected to the new team properties and vice versa. The correct configuration of team link-watchers and team.runner is now enforced in NetworkManager. Wrong or unknown link-watcher and team.runner configurations result in the full team connection being rejected.
Note that when changing the brand new runner property, all the properties related to specific runners are reset to default. (BZ#1398925)

Packets mark is now reflected on replies

Previously, when receiving a connection request on a closed port, an error packet was sent back to the client. When the incoming connection was marked with some firewall rules, the generated error message did not have this mark because this functionality was not implemented in the kernel. With this update, the generated error message has the same marking as the incoming packet that tried to initiate the connection. (BZ#1469857)

New Socket timestamping options for NTP

This update adds the SOF_TIMESTAMPING_OPT_PKTINFO and SOF_TIMESTAMPING_OPT_TX_SWHW socket timestamping options for hardware timestamping with bonding and other virtual interfaces in Network Time Protocol (NTP) implementations, such as chrony. (BZ#1421164)

iproute2 rebased to version 4.11.0

The iproute2 package has been upgraded to upstream version 4.11.0, which provides a number of bug fixes and enhancements. Notably, the ip tool includes:
  • Support for JSON output to various commands has been added.
  • Support for more interface type attributes has been added.
  • Support for colored output has been added.
  • Support for the label, dev options and the rule objects in ip-monitor state.
  • Support for selectors in the ip-rule command has been added.
Additionally, notable improvements for the tc utility include:
  • Support for the bash-completion function for tc.
  • The vlan action in tc has been introduced.
  • The extended mode in the pedit action has been introduced.
  • Stream Control Transmission Protocol (SCTP) support in the csum action has been added.
For other tools:
  • Support for extended statistics in the lnstat tool has been added.
  • Support for SCTP in the nstat utility has been added. (BZ#1435647)

The tc-pedit action now supports offset relative to Layer 2 and Layer 4

The tc-pedit action allows modification of packet data. This update adds support for specifying the offset options relative to the Layer 2, 3 and 4 headers to tc-pedit. This makes pedit header handling more robust and flexible. As a result, editing Ethernet header is more convenient and accessing the Layer 4 header works independently to the Layer 3 header size. (BZ#1468280)

Features backported to iproute

A number of enhancements have been backported to the iproute package. Notable changes include:
  • Pipeline debug support has been added to the devlink tool via the dpipe subcommand.
  • Hardware offload status is now available in the tc filter, indicated by the in_hw or not_in_hw flags.
  • Support for IPv6 in the tc pedit action has been added.
  • Setting and retrieving eswitch encapsulation support has been added to the devlink tool.
  • Matching capabilities of the tc flower filter have been enhanced:
  • Support for matching on TCP flags.
  • Support for matching on the type-of-service (ToS) and the time-to-live (TTL) fields in the IP header.
(BZ#1456539)

The Geneve driver rebased to version 4.12

The Geneve driver has been updated to version 4.12, which provides several bug fixes and enhancements for Open vSwitch (OVS) or Open Virtual Network (OVN) deployments using Geneve tunneling. (BZ#1467288)

A control switch added for VXLAN and GENEVE offloading

This update adds a new control switch to the ethtool utility to enable or disable offloading of the VXLAN and GENEVE tunnels to network cards. This enhancement enables easier debugging of issues with the VXLAN or GENEVE tunnels. In addition, you can resolve issues caused by offloading these types of tunnels to network cards by using ethtool to disable the feature. (BZ#1308630)

unbound rebased to version 1.6.6

The unbound packages have been rebased to upstream version 1.6.6, which provides a number of bug fixes and enhancements over the previous version. Notable changes are as follows:
  • DNS Query Name (QNAME) minimisation according to RFC 7816 has been implemented.
  • A new max-udp-size configuration option has been added; its default value is 4096.
  • A new DNS64 module and a new dns64-prefix option have been added.
  • New insecure_add and insecure_remove commands have been added to the unbound-control utility for administration of negative trust anchors.
  • The unbound-control utility is now capable of bulk addition and removal of local zones and local data. To perform these actions, use the local_zones, local_zones_remove, local_datas, and local_datas_remove commands.
  • The libldns is no longer a dependency of libunbound and will not be installed with it.
  • A new so-reuseport: option is now available for distributing queries evenly over threads on Linux.
  • New Resource Record types have been added: CDS, CDNSKEY, URI (according to RFC 7553), CSYNC, and OPENPGPKEY.
  • New local-zone types have been added: inform to log a message with a client IP and inform_deny to log a query and drop the answer to it.
  • Remote control over local sockets is now available; use the control-interface: /path/sock and control-use-cert: no commands.
  • A new ip-transparent: configuration option has been added for binding to non-local IP addresses.
  • A new ip-freebind: configuration option has been added for binding to an IP address while the interface or address is down.
  • A new harden-algo-downgrade: configuration option has been added.
  • The following domains are now blocked by default: onion (according to RFC 7686), test, and invalid (according to RFC 6761).
  • A user-defined pluggable event API for the libunbound library has been added.
  • To set the working directory for Unbound, either use the directory: dir with the include: file statement in the unbound.conf file, which ensures that the includes are relative to the directory, or use the chroot command with an absolute path.
  • Fine-grained localzone control has been implemented with the following options: define-tag, access-control-tag, access-control-tag-action, access-control-tag-data, local-zone-tag, and local-zone-override.
  • A new outgoing-interface: netblock/64 IPv6 option has been added to use Linux freebind feature for every query with a random 64-bit local part.
  • Logging of DNS replies has been added, which is similar to query logs.
  • Trust anchor signaling has been implemented that uses key tag query and trustanchor.unbound CH TXT queries.
  • Extension mechanisms for DNS (EDNS) Client subnet has been iplemented.
  • ipsecmod, an opportunistic IPsec support module, has been implemented. (BZ#1251440)

DHCP now supports standard dynamic DNS updates

With this update, the DHCP server allows updating DNS records by using a standard protocol. As a result, DHCP supports standard dynamic DNS updates as described in RFC 2136: https://tools.ietf.org/html/rfc2136. (BZ#1394727)

DDNS now supports additional algorithms

Previously, the dhcpd daemon supported only the HMAC-MD5 hashing algorithm which is considered insecure for critical applications. As a consequence, the Dynamic DNS (DDNS) updates were potentially insecure. This update adds support for additional algorithms: HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. (BZ#1396985)

IPTABLES_SYSCTL_LOAD_LIST now supports the sysctl.d files

The sysctl settings in IPTABLES_SYSCTL_LOAD_LIST are reloaded by the iptables init script when the iptables service is restarted. The modified settings were previously searched only in the /etc/sysctl.conf file. This update adds support for searching these modifications in the /etc/sysctl.d/ directory as well. As a result, the user-provided files in /etc/sysctl.d/ are now correctly taken into account when the iptables service is restarted. (BZ#1402021)

SCTP now supports MSG_MORE

The MSG_MORE flag is set to buffer small pieces of data until a full packet is ready for transmission or until a call is performed that does not specify this flag. This update adds support for MSG_MORE on the Stream Control Transmission Protocol (SCTP). As a result, small data chunks can be buffered and sent as a full packet. (BZ#1409365)

MACsec rebased to version 4.13

The Media Access Control Security (MACsec) driver has been upgraded to upstream version 4.13, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include:
  • Generic Receive Offload (GRO) and Receive Packet Steering (RPS) are enabled on MACsec devices.
  • The MODULE_ALIAS_GENL_FAMILY module has been added. This helps tools such as wpa_supplicant to start even if the module is not loaded yet. (BZ#1467335)

Enhanced performance when using the mlx5 driver in Open vSwitch

The Open vSwitch (OVS) application enables Virtual Machines to communicate with each other and the physical network. OVS resides in the hypervisor and switching is based on twelve tuple matching on flows. However, the OVS software-based solution is very CPU-intensive. This affects the system performance and prevents using the fully available bandwidth.
With this update, the mlx5 driver for Mellanox ConnectX-4, ConnectX-4 Lx, and ConnectX-5 adapters can offload OVS. The Mellanox Accelerated Switching And Packet Processing (ASAP2) Direct technology enables offloading OVS by handling the OVS data-plane in Mellanox ConnectX-4 and later network interface cards with Mellanox Embedded Switch or eSwitch, while maintaining an unmodified OVS control-plane. As a result, the OVS performance is significantly higher and less CPU-intensive.
The current actions supported by ASAP2 Direct include packet parsing and matching, forward, drop along with VLAN push/pop, or VXLAN encapsulation and decapsulation. (BZ#1456687)

The Netronome NFP Ethernet driver now supports the representor netdev feature

This update backports the representor netdev feature for the Netronome NFP Ethernet driver to Red Hat Enterprise Linux 7.5. This enhancement enables the driver:
  • To receive and transmit fallback traffic
  • To be used in Open vSwitch
  • To support programming flows to the NFP hardware by using the TC-Flower utility (BZ#1454745)

Support for offloading TC-Flower actions

This update adds support for offloading the TC-Flower classifier and actions related to offloading of Open vSwitch. This allows acceleration of Open vSwitch using Netronome SmartNICs. (BZ#1468286)

DNS stub resolver improvements

The DNS stub resolver in the glibc package has been updated to the upstream glibc version 2.26. Notable improvements and bug fixes include:
  • Changes to the /etc/resolv.conf file are now automatically recognized and applied to running programs. To restore the previous behavior, add the no-reload option to the options line in /etc/resolv.conf. Note that depending on system configuration, the /etc/resolv.conf file might be automatically overwritten as part of the configuration of the networking subsystem, removing the no-reload option.
  • The previous limit of six search domain entries is removed. You can now specify any number of domains with the search directive in /etc/resolv.conf. Note that additional entries may add significant overhead to DNS processing; consider running a local caching resolver if the number of entries exceeds three.
  • The handling of various boundary conditions in the getaddrinfo() function is fixed. Very long lines in the /etc/hosts file (including comments) no longer affect lookup results from other lines. Unexpected terminations related to stack exhaustion on systems with certain /etc/hosts configuration no longer occur.
  • Previously, when the rotate option was enabled in /etc/resolv.conf, the first DNS query of a new process was always sent to the second name server configured in the name server list in /etc/resolv.conf. This behavior has been changed, and the first DNS query now randomly selects a name server from the list. Subsequent queries rotate through the available name servers, as before. (BZ#677316, BZ#1432085, BZ#1257639, BZ#1452034, BZ#1329674)