Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
Chapter 32. Networking
Bad offload warnings are no longer displayed using virtio_net
Previously, using the
virtio_net
network adapter in bridge connections, user space programs sometimes generated Generic Segmentation Offload (GSO) packets with no checksum offload and passed them to the kernel. As a consequence, the kernel checksum offloading code displayed bad offload warnings unnecessarily. With this update, a patch has been applied, and the kernel does not warn anymore about bad checksum offload messages for such packets. (BZ#1544920)
The L2TP
sequence number handling now works correctly
Previously, the kernel did not handle Layer 2 Tunneling Protocol (L2TP) sequence numbers properly and it was not compliant with RFC 3931. As a consequence,
L2TP
sessions stopped working unexpectedly. With this update, a patch has been applied to correctly handle sequence numbers in case of a packet loss. As a result, when users enable sequence numbers, L2TP
sessions work as expected in the described scenario. (BZ#1527799)
The kernel no longer crashes when a tunnel_key
mode is not specified
Previously, parsing configuration data in the
tunnel_key
action rules was incorrect if neither set
nοr unset
mode was specified in the configuration. As a consequence, the kernel dereferenced an incorrect pointer and terminated unexpectedly. With this update, the kernel does not install tunnel_key
if set
or unset
was not specified. As a result, the kernel no longer crashes in the described scenario. (BZ#1554907)
The sysctl net.ipv4.route.min_pmtu
setting no longer set invalid values
Previously, the value provided by administrators for the sysctl
net.ipv4.route.min_pmtu
setting was not restricted. As a consequence, administrators were able to set a negative value for net.ipv4.route.min_pmtu
. This sometimes resulted in setting the path Maximum Transmission Unit (MTU) of some routes to very large values because of an integer overflow. This update restricts values for net.ipv4.route.min_pmtu
set to >= 68
, the minimum valid MTU for IPv4. As a result, net.ipv4.route.min_pmtu
can no longer be set to invalid values (negative value or < 68
). (BZ#1541250)
wpa_supplicant
no longer responds to packets whose destination address does not match the interface address
Previously, when
wpa_supplicant
was running on a Linux interface that was configured in promiscuous
mode, incoming Extensible Authentication Protocol over LAN (EAPOL) packets were processed regardless of the destination address in the frame. However, wpa_supplicant
checked the destination address only if the interface was enslaved to a bridge. As a consequence, in certain cases, wpa_supplicant
was responding to EAPOL packets when the destination address was not the interface address. With this update, a socket filter has been added that allows the kernel to discard unicast EAPOL packets whose destination address does not match the interface address, and the described problem no longer occurs. (BZ#1434434)
NetworkManager
no longer fails to detect duplicate IPv4 addresses
Previously,
NetworkManager
used to spawn an instance of the arping
process to detect duplicate IPv4 addresses on the network. As a consequence, if the timeout configured for IPv4 Duplicate Address Detection (DAD) was short and the system was overloaded, NetworkManager
sometimes failed to detect a duplicate address in time. With this update, the detection of duplicate IPv4 addresses is now performed internally to NetworkManager
without spawning external binaries, and the described problem no longer occurs. (BZ#1507864)
firewalld
now prevents partially applied rules
Previously, if a direct rule failed to be inserted for any reason, then all following direct rules with a higher priority also failed to insert. As a consequence, direct rules were not applied completely. The processing has been changed to either apply all direct rules successfully or revert them all. As a result, if a rule failure occurs at startup,
firewalld
enters the failed
status and allows the user to remedy the situation. This prevents unexpected results by having partially applied rules. (BZ#1498923)
The wpa_supplicant upgrade no longer causes disconnections
Previously, the upgrade of the wpa_supplicant package caused a restart of the
wpa_supplicant
service. As a consequence, the network disconnected temporarily. With this update, the systemd unit is not restarted during the upgrade. As a result, the network connectivity no longer fails during the wpa_supplicant upgrade. (BZ#1505404)