Error handling in the output of the
dhcp-script has been improved
Previously, any error in the output of the
dhcp-script was ignored. With this update the output of the script is logged on the
tftp actions. As a result, errors are displayed while
dnsmasq is running.
Note that the lease-init action happens only at a start of
. With this update, only a summary of the output is logged and not the standard error output, which passes to the
service for logging. (BZ#1188259
Network namespace isolation has been added to
ipset entries were visible and could be modified by any network namespace. This update provides
ipset with isolation per network namespace. As a result,
ipset configuration is separated for each namespace. (BZ#1226051)
NetworkManager now supports multiple routing tables to enable source routing
This update adds a new
attribute for IPv4 and IPv6 routes which can be configured manually by the user. For each manual static route, a routing table can be selected. As a result, configuring the table of a route has the effect of configuring the route in that table. Additionally, the default routing table of a connection profile can be configured via the new
settings for IPv4 and IPv6 respectively. These settings determine in which table the routes are placed, except manual routes that explicitly overwrite this setting. (BZ#1436531
nftables rebased to version 0.8
The nftables packages have been upgraded to version 0.8, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
notrack have been added.
Support hashing of any arbitrary key combination has been added.
Support to set non-byte bound packet header fields, including checksum adjustment has been added.
Variable reference for set element definitions and variable definitions from element commands can now be used.
Support to flush set has been added.
Support for logging flags has been added.
tc classid parser has been added.
Endianness problems with link layer address have been solved.
Parser to keep map flag around on definition has been fixed.
The time datatype now uses milliseconds, as the kernel expects. (BZ#1472261
DHCP client behavior added to
With this update, the
ipv4.dhcp-timeout property can be set to either the
maximum for a 32-bit integer (MAXINT32) value or to the
infinity value. As a result,
NetworkManager never stops trying to get or renew a lease from a
DHCP server until it is successful. (BZ#1350830)
NetworkManager exposes new properties to expose team options
NetworkManager applied team configuration to connections providing a JSON string to the
config property, which was the only property available in the team setting. This update adds new properties in
NetworkManager matching one to one the team configuration options. As a result, the configuration may be provided either through a unique JSON string in the
NetworkManager config property or assigning values to the new team properties. Any configuration change applied in
config is reflected to the new team properties and vice versa. The correct configuration of team link-watchers and team.runner is now enforced in
NetworkManager. Wrong or unknown link-watcher and team.runner configurations result in the full team connection being rejected.
Note that when changing the brand new
property, all the properties related to specific runners are reset to default. (BZ#1398925
Packets mark is now reflected on replies
Previously, when receiving a connection request on a closed port, an error packet was sent back to the client. When the incoming connection was marked with some firewall rules, the generated error message did not have this mark because this functionality was not implemented in the kernel. With this update, the generated error message has the same marking as the incoming packet that tried to initiate the connection. (BZ#1469857)
New Socket timestamping options for
This update adds the
SOF_TIMESTAMPING_OPT_TX_SWHW socket timestamping options for hardware timestamping with bonding and other virtual interfaces in
Network Time Protocol (NTP) implementations, such as chrony. (BZ#1421164)
iproute2 rebased to version 4.11.0
The iproute2 package has been upgraded to upstream version 4.11.0, which provides a number of bug fixes and enhancements. Notably, the
ip tool includes:
Support for JSON output to various commands has been added.
Support for more interface type attributes has been added.
Support for colored output has been added.
Support for the
dev options and the
rule objects in
Support for selectors in the
ip-rule command has been added.
Additionally, notable improvements for the
tc utility include:
Support for the bash-completion function for
vlan action in
tc has been introduced.
The extended mode in the
pedit action has been introduced.
Stream Control Transmission Protocol (SCTP) support in the
csum action has been added.
For other tools:
tc-pedit action now supports
offset relative to Layer
2 and Layer
action allows modification of packet data. This update adds support for specifying the
options relative to the Layer
. This makes
handling more robust and flexible. As a result, editing Ethernet header is more convenient and accessing the Layer
header works independently to the Layer
header size. (BZ#1468280
Features backported to iproute
A number of enhancements have been backported to the iproute package. Notable changes include:
Pipeline debug support has been added to the devlink tool via the
Hardware offload status is now available in the tc filter, indicated by the
Support for IPv6 in the tc pedit action has been added.
Setting and retrieving eswitch encapsulation support has been added to the devlink tool.
Matching capabilities of the tc flower filter have been enhanced:
Support for matching on TCP flags.
Support for matching on the type-of-service (ToS) and the time-to-live (TTL) fields in the IP header.
The Geneve driver rebased to version 4.12
The Geneve driver has been updated to version 4.12, which provides several bug fixes and enhancements for Open vSwitch (OVS) or Open Virtual Network (OVN) deployments using Geneve tunneling. (BZ#1467288)
A control switch added for
This update adds a new control switch to the
ethtool utility to enable or disable offloading of the
GENEVE tunnels to network cards. This enhancement enables easier debugging of issues with the
GENEVE tunnels. In addition, you can resolve issues caused by offloading these types of tunnels to network cards by using
ethtool to disable the feature. (BZ#1308630)
unbound rebased to version 1.6.6
The unbound packages have been rebased to upstream version 1.6.6, which provides a number of bug fixes and enhancements over the previous version. Notable changes are as follows:
DNS Query Name (QNAME) minimisation according to RFC 7816 has been implemented.
max-udp-size configuration option has been added; its default value is
DNS64 module and a new
dns64-prefix option have been added.
insecure_remove commands have been added to the
unbound-control utility for administration of negative trust anchors.
unbound-control utility is now capable of bulk addition and removal of local zones and local data. To perform these actions, use the
libldns is no longer a dependency of
libunbound and will not be installed with it.
so-reuseport: option is now available for distributing queries evenly over threads on Linux.
New Resource Record types have been added:
URI (according to RFC 7553),
local-zone types have been added:
inform to log a message with a client IP and
inform_deny to log a query and drop the answer to it.
Remote control over local sockets is now available; use the
control-interface: /path/sock and
control-use-cert: no commands.
ip-transparent: configuration option has been added for binding to non-local IP addresses.
ip-freebind: configuration option has been added for binding to an IP address while the interface or address is down.
harden-algo-downgrade: configuration option has been added.
The following domains are now blocked by default:
onion (according to RFC 7686),
invalid (according to RFC 6761).
A user-defined pluggable event API for the
libunbound library has been added.
To set the working directory for
Unbound, either use the
directory: dir with the
include: file statement in the
unbound.conf file, which ensures that the includes are relative to the directory, or use the
chroot command with an absolute path.
Fine-grained localzone control has been implemented with the following options:
outgoing-interface: netblock/64 IPv6 option has been added to use Linux freebind feature for every query with a random 64-bit local part.
Logging of DNS replies has been added, which is similar to query logs.
Trust anchor signaling has been implemented that uses key tag query and
trustanchor.unbound CH TXT queries.
Extension mechanisms for DNS (EDNS) Client subnet has been iplemented.
ipsecmod, an opportunistic IPsec support module, has been implemented. (BZ#1251440)
DHCP now supports standard dynamic DNS updates
With this update, the DHCP server allows updating DNS records by using a standard protocol. As a result, DHCP supports standard dynamic DNS updates as described in RFC 2136: https://tools.ietf.org/html/rfc2136
DDNS now supports additional algorithms
daemon supported only the
hashing algorithm which is considered insecure for critical applications. As a consequence, the
Dynamic DNS (DDNS)
updates were potentially insecure. This update adds support for additional algorithms:
IPTABLES_SYSCTL_LOAD_LIST now supports the
sysctl settings in
IPTABLES_SYSCTL_LOAD_LIST are reloaded by the
iptables init script when the
iptables service is restarted. The modified settings were previously searched only in the
/etc/sysctl.conf file. This update adds support for searching these modifications in the
/etc/sysctl.d/ directory as well. As a result, the user-provided files in
/etc/sysctl.d/ are now correctly taken into account when the iptables service is restarted. (BZ#1402021)
SCTP now supports
MSG_MORE flag is set to buffer small pieces of data until a full packet is ready for transmission or until a call is performed that does not specify this flag. This update adds support for
MSG_MORE on the Stream Control Transmission Protocol (SCTP). As a result, small data chunks can be buffered and sent as a full packet. (BZ#1409365)
MACsec rebased to version 4.13
Media Access Control Security (MACsec) driver has been upgraded to upstream version 4.13, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include:
Generic Receive Offload (GRO) and
Receive Packet Steering (RPS) are enabled on
MODULE_ALIAS_GENL_FAMILY module has been added. This helps tools such as
wpa_supplicant to start even if the module is not loaded yet. (BZ#1467335)
Enhanced performance when using the
mlx5 driver in Open vSwitch
The Open vSwitch (OVS) application enables Virtual Machines to communicate with each other and the physical network. OVS resides in the hypervisor and switching is based on twelve tuple matching on flows. However, the OVS software-based solution is very CPU-intensive. This affects the system performance and prevents using the fully available bandwidth.
With this update, the
mlx5 driver for Mellanox ConnectX-4, ConnectX-4 Lx, and ConnectX-5 adapters can offload OVS. The Mellanox Accelerated Switching And Packet Processing (ASAP2) Direct technology enables offloading OVS by handling the OVS data-plane in Mellanox ConnectX-4 and later network interface cards with Mellanox Embedded Switch or eSwitch, while maintaining an unmodified OVS control-plane. As a result, the OVS performance is significantly higher and less CPU-intensive.
The current actions supported by ASAP2 Direct include packet parsing and matching, forward, drop along with VLAN push/pop, or VXLAN encapsulation and decapsulation. (BZ#1456687)
The Netronome NFP Ethernet driver now supports the
representor netdev feature
This update backports the
representor netdev feature for the Netronome NFP Ethernet driver to Red Hat Enterprise Linux 7.5. This enhancement enables the driver:
To receive and transmit fallback traffic
To be used in Open vSwitch
To support programming flows to the NFP hardware by using the TC-Flower utility (BZ#1454745)
Support for offloading
This update adds support for offloading the
TC-Flower classifier and actions related to offloading of Open vSwitch. This allows acceleration of Open vSwitch using Netronome SmartNICs. (BZ#1468286)
DNS stub resolver improvements
The DNS stub resolver in the
glibc package has been updated to the upstream glibc version 2.26. Notable improvements and bug fixes include:
Changes to the
/etc/resolv.conf file are now automatically recognized and applied to running programs. To restore the previous behavior, add the
noreload option to the
options line in
/etc/resolv.conf. Note that depending on system configuration, the
/etc/resolv.conf file might be automatically overwritten as part of the configuration of the networking subsystem, removing the
The previous limit of six search domain entries is removed. You can now specify any number of domains with the
search directive in
/etc/resolv.conf. Note that additional entries may add significant overhead to DNS processing; consider running a local caching resolver if the number of entries exceeds three.
The handling of various boundary conditions in the
getaddrinfo() function is fixed. Very long lines in the
/etc/hosts file (including comments) no longer affect lookup results from other lines. Unexpected terminations related to stack exhaustion on systems with certain
/etc/hosts configuration no longer occur.
Previously, when the
option was enabled in
, the first DNS query of a new process was always sent to the second name server configured in the name server list in
. This behavior has been changed, and the first DNS query now randomly selects a name server from the list. Subsequent queries rotate through the available name servers, as before. (BZ#677316
, BZ#1257639, BZ#1452034