Chapter 32. Networking

Bad offload warnings are no longer displayed using virtio_net

Previously, using the virtio_net network adapter in bridge connections, user space programs sometimes generated Generic Segmentation Offload (GSO) packets with no checksum offload and passed them to the kernel. As a consequence, the kernel checksum offloading code displayed bad offload warnings unnecessarily. With this update, a patch has been applied, and the kernel does not warn anymore about bad checksum offload messages for such packets. (BZ#1544920)

The L2TP sequence number handling now works correctly

Previously, the kernel did not handle Layer 2 Tunneling Protocol (L2TP) sequence numbers properly and it was not compliant with RFC 3931. As a consequence, L2TP sessions stopped working unexpectedly. With this update, a patch has been applied to correctly handle sequence numbers in case of a packet loss. As a result, when users enable sequence numbers, L2TP sessions work as expected in the described scenario. (BZ#1527799)

The kernel no longer crashes when a tunnel_key mode is not specified

Previously, parsing configuration data in the tunnel_key action rules was incorrect if neither set nοr unset mode was specified in the configuration. As a consequence, the kernel dereferenced an incorrect pointer and terminated unexpectedly. With this update, the kernel does not install tunnel_key if set or unset was not specified. As a result, the kernel no longer crashes in the described scenario. (BZ#1554907)

The sysctl net.ipv4.route.min_pmtu setting no longer set invalid values

Previously, the value provided by administrators for the sysctl net.ipv4.route.min_pmtu setting was not restricted. As a consequence, administrators were able to set a negative value for net.ipv4.route.min_pmtu. This sometimes resulted in setting the path Maximum Transmission Unit (MTU) of some routes to very large values because of an integer overflow. This update restricts values for net.ipv4.route.min_pmtu set to >= 68, the minimum valid MTU for IPv4. As a result, net.ipv4.route.min_pmtu can no longer be set to invalid values (negative value or < 68). (BZ#1541250)

wpa_supplicant no longer responds to packets whose destination address does not match the interface address

Previously, when wpa_supplicant was running on a Linux interface that was configured in promiscuous mode, incoming Extensible Authentication Protocol over LAN (EAPOL) packets were processed regardless of the destination address in the frame. However, wpa_supplicant checked the destination address only if the interface was enslaved to a bridge. As a consequence, in certain cases, wpa_supplicant was responding to EAPOL packets when the destination address was not the interface address. With this update, a socket filter has been added that allows the kernel to discard unicast EAPOL packets whose destination address does not match the interface address, and the described problem no longer occurs. (BZ#1434434)

NetworkManager no longer fails to detect duplicate IPv4 addresses

Previously, NetworkManager used to spawn an instance of the arping process to detect duplicate IPv4 addresses on the network. As a consequence, if the timeout configured for IPv4 Duplicate Address Detection (DAD) was short and the system was overloaded, NetworkManager sometimes failed to detect a duplicate address in time. With this update, the detection of duplicate IPv4 addresses is now performed internally to NetworkManager without spawning external binaries, and the described problem no longer occurs. (BZ#1507864)

firewalld now prevents partially applied rules

Previously, if a direct rule failed to be inserted for any reason, then all following direct rules with a higher priority also failed to insert. As a consequence, direct rules were not applied completely. The processing has been changed to either apply all direct rules successfully or revert them all. As a result, if a rule failure occurs at startup, firewalld enters the failed status and allows the user to remedy the situation. This prevents unexpected results by having partially applied rules. (BZ#1498923)

The wpa_supplicant upgrade no longer causes disconnections

Previously, the upgrade of the wpa_supplicant package caused a restart of the wpa_supplicant service. As a consequence, the network disconnected temporarily. With this update, the systemd unit is not restarted during the upgrade. As a result, the network connectivity no longer fails during the wpa_supplicant upgrade. (BZ#1505404)