Menu Close

Chapter 11. Networking

This chapter lists the most notable changes to networking between RHEL 8 and RHEL 9.

11.1. Kernel

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

For further details, see Setting up a WireGuard VPN.

11.2. Network Types

Network teams are deprecated

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

Red Hat focuses its efforts on kernel-based bonding to avoid maintaining two features, bonds and teams, that have similar functions. The bonding code has a high customer adoption, is robust, and has an active community development. As a result, the bonding code receives enhancements and updates.

For details about how to migrate a team to a bond, see Migrating a network team configuration to network bond.

11.3. NetworkManager

NetworkManager stores new network configurations in a key file format

Previously, NetworkManager stored new network configurations to /etc/sysconfig/network-scripts/ in the ifcfg format. Starting with RHEL 9.0, RHEL stores new network configurations at /etc/NetworkManager/system-connections/ in a key file format. The connections for which the configurations are stored to /etc/sysconfig/network-scripts/ in the old format still work uninterrupted. Modifications in existing profiles continue updating the older files.

The WEP Wi-Fi connection method has been removed

The insecure wired equivalent privacy (WEP) Wi-Fi connection method has been removed from RHEL 9. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 (WPA3) or WPA2 connection methods.

11.4. MPTCP

The mptcpd service is available

With this update the mptcpd service is available for usage. It is a user space based MPTCP path manager with integrated mptcpize tool.

The mptcpd service provides the simplified automatic configuration of the MPTCP`paths. It benefits with better reliability of the `MPTCP socket in case of network failure or reconfiguration.

Now you can use the mptcpize tool to enable the MPTCP protocol on the existing systemd units without additional external dependencies.

11.5. Firewall

The ipset and iptables-nft packages have been deprecated

The ipset and iptables-nft packages have been deprecated in RHEL. The iptables-nft package contains different tools such as iptables, ip6tables, ebtables and arptables. These tools will no longer receive new features and using them for new deployments is not recommended. As a replacement, it is recommended to use the nft command line tool provided by the nftables package. Existing setups should migrate to nft when possible.

For more information on migrating to nftables, see Migrating from iptables to nftables, as well as the iptables-translate(8) and ip6tables-translate(8) man pages.

The unsupported xt_u32 Netfilter module has been removed

RHEL 8 contained the unsupported xt_u32 module, which enabled iptables users to match arbitrary 32 bits in the packet header or payload. This module has been removed from RHEL 9. As a replacement, use the nftables packet filtering framework. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) man page.

11.6. Infiniband and RDMA networks

The ibdev2netdev script has been removed from RHEL 9

ibdev2netdev was a helper utility that was able to display all the associations between network devices and Remote Direct Memory Access (RDMA) adapter ports. Previously, Red Hat was including ibdev2netdev in the rdma-core package. From Red Hat Enterprise Linux 9, ibdev2netdev has been removed and replaced by the rdmatool utility. Now, the iproute package includes rdmatool.

11.7. Removed functionality

RHEL 9 does not contain the legacy network scripts

RHEL 9 does not contain the network-scripts package that provided the deprecated legacy network scripts in RHEL 8. To configure network connections in RHEL 9, use NetworkManager. For details, see the Configuring and managing networking documentation.

The unsupported xt_u32 Netfilter module has been removed

RHEL 8 contained the unsupported xt_u32 module, which enabled iptables users to match arbitrary 32 bits in the packet header or payload. This module has been removed from RHEL 9. As a replacement, use the nftables packet filtering framework. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) man page.

Data Encryption Standard (DES) algorithm is not available for net-snmp communication in Red Hat Enterprise Linux 9

In previous versions of RHEL, DES was used as an encryption algorithm for secure communication between net-snmp clients and servers. In RHEL 9, the DES algorithm isn’t supported by the OpenSSL library. The algorithm is marked as insecure and hence the DES support for net-snmp has been removed.