Chapter 14. Networking

Support for the libnftnl and nftables packages

The nftables and libnftl packages, previously available as a Technology Preview, are now supported.
The nftables packages provide a packet-filtering tool, with numerous improvements in convenience, features, and performance over previous packet-filtering tools. It is the designated successor to the iptables, ip6tables, arptables, and ebtables utilities.
The libnftnl packages provide a library for low-level interaction with nftables Netlink API over the libmnl library. (BZ#1332585)

ECMP fib_multipath_hash_policy support added to the kernel for IPv4 packets

This update adds support for Equal-cost multi-path routing (ECMP) hash policy choice using fib_multipath_hash_policy, a new sysctl setting that controls which hash policy to use for multipath routes. When fib_multipath_hash_policy is set to 1, the kernel performs L4 hash, which is a multipath hash for IPv4 packets according to a 5-tuple (source IP, source port, destination IP, destination port, IP protocol type) set of values. When fib_multipath_hash_policy is set to 0 (default), only L3 hash is used (the source and destination IP addresses).
Note that if you enable fib_multipath_hash_policy, the Internet Control Message Protocol (ICMP) error packets are not hashed according to the inner packet headers. This is a problem for anycast services as the ICMP packet can be delivered to the incorrect host. (BZ#1511351)

Support for hardware time stamping on VLAN interfaces

This update adds hardware time stamping on VLAN interfaces (driver dp83640 is excluded). This allows applications, such as linuxptp, to enable hardware time stamping. (BZ#1520356)

Support for specifying speed and duplex 802-3-ethernet properties when 802-3-ethernet.auto-negotiation is enabled

Previously, when 802-3-ethernet.auto-negotiation was enabled on an Ethernet connection, all the speed and duplex modes supported by the Network Interface Card (NIC) were advertised. The only option to enforce a specific speed and duplex mode was to disable 802-3-ethernet.auto-negotiation and set 802-3-ethernet.speed and 802-3-ethernet.duplex properties. This was not correct because the 1000BASE-T and 10GBASE-T Ethernet standards require auto-negotiation to be always enabled. With this update, you can enable a specific speed and duplex when auto-negotiation is enabled. (BZ#1487477)

Support for changing the DUID for IPv6 DHCP connections

With this update, users can configure the DHCP Unique Identifier (DUID) in NetworkManager to get an IPv6 address from a Dynamic Host Configuration Protocol (DHCP) server. As a result, users can now specify the DUID for DHCPv6 connections using the new property, ipv6.dhcp-duid. For more details on values set for ipv6.dhcp-duid, see the nm-settings(5) man page. (BZ#1414093)

ipset rebased to Linux kernel version 4.17

The ipset kernel component has been upgraded to upstream Linux kernel version 4.17 which provides a number of enhancements and bug fixes over the previous version. Notable changes include:
  • The following ipset types are now supported:
  • hash:net,net
  • hash:net,port,net
  • hash:ip,mark
  • hash:mac
  • hash:ip,mac (BZ#1557599)

ipset (userspace) rebased to version 6.38

The ipset (userspace) package has been upgraded to upstream version 6.38, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • The userspace ipset is now aligned to the Red Hat Enterprise Linux (RHEL) kernel ipset implementation in terms of supported ipset types
  • A new type of set, hash:ipmac, is now supported (BZ#1557600)

firewalld rebased to version 0.5.3

The firewalld service daemon has been upgraded to upstream version 0.5.3, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Added the --check-config option to verify sanity of configuration files.
  • Generated interfaces such as docker0 are now correctly re-added to zones after firewalld restarts.
  • A new IP set type, hash:mac, is now supported. (BZ#1554993)

The ipset comment extension is now supported

Τhis update adds the ipset comment extension. Τhis enables you to add entries with a comment. For more information, see the ipset (8) man page. (BZ#1496859)

radvd rebased to version 2.17

The router advertisement daemon (radvd) has been upgraded to version 2.17. The most notable change is that now radvd supports the selection of router advertisements source address. As a result, connection tracking no longer fails when the router's address is moved between hosts or firewalls. (BZ#1475983)

The default version for SMB now is auto-negotiated to the highest supported versions, SMB2 or SMB3

With this update, the default version of the Server Message Block (SMB) protocol has been changed from SMB1 to be auto-negotiated to the highest supported versions SMB2 or SMB3. Users can still choose to explicitly mount with the less secure SMB1 dialect (for old servers) by adding the vers=1.0 option on the Common Internet File System (CIFS) mount.
Note that SMB2 or SMB3 do not support Unix Extensions. Users that depend on Unix Extensions need to review the mount options and ensure that vers=1.0 is used. (BZ#1471950)

position in an nftables add or insert rule is replaced by handle and index

With this update of the nftables packages, the position parameter in an add or insert rule has been deprecated and replaced by the handle and index arguments. This syntax is more consistent with the replace and delete commands. (BZ#1571968)

New features in net-snmp

The net-snmp package in Red Hat Enterprise Linux 7 has been extended with the following new features:
  • net-snmp now supports monitoring disks of ZFS file system.
  • net-snmp now supports monitoring disks of ASM Cluster (AC) file system. (BZ#1533943, BZ#1564400)

firewalld-cmd --check-config now checks the validity of XML configuration files

This update introduces the --check-config option for the firewall-cmd and firewall-offline-cmd commands. The new option checks a user configuration of the firewalld daemon in XML files. The verification script reports syntax errors in custom rule definitions if any. (BZ#1477771)