Chapter 11. Networking

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

Network teams are deprecated

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

NetworkManager stores new network configurations in a key file format

Previously, NetworkManager stored new network configurations to /etc/sysconfig/network-scripts/ in the ifcfg format. Starting with RHEL 9.0, RHEL stores new network configurations at /etc/NetworkManager/system-connections/ in a key file format. The connections for which the configurations are stored to /etc/sysconfig/network-scripts/ in the old format still work uninterrupted. Modifications in existing profiles continue updating the older files.

The WEP Wi-Fi connection method has been removed

The insecure wired equivalent privacy (WEP) Wi-Fi connection method has been removed from RHEL 9. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 (WPA3) or WPA2 connection methods.

The mptcpd service is available

With this update the mptcpd service is available for usage. It is a user space based MPTCP path manager with integrated mptcpize tool.

The ipset and iptables-nft packages have been deprecated

The ipset and iptables-nft packages have been deprecated in RHEL. The iptables-nft package contains different tools such as iptables, ip6tables, ebtables and arptables. These tools will no longer receive new features and using them for new deployments is not recommended. As a replacement, it is recommended to use the nft command line tool provided by the nftables package. Existing setups should migrate to nft when possible.

The unsupported xt_u32 Netfilter module has been removed

RHEL 8 contained the unsupported xt_u32 module, which enabled iptables users to match arbitrary 32 bits in the packet header or payload. This module has been removed from RHEL 9. As a replacement, use the nftables packet filtering framework. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) man page.

The ibdev2netdev script has been removed from RHEL 9

ibdev2netdev was a helper utility that was able to display all the associations between network devices and Remote Direct Memory Access (RDMA) adapter ports. Previously, Red Hat was including ibdev2netdev in the rdma-core package. From Red Hat Enterprise Linux 9, ibdev2netdev has been removed and replaced by the rdmatool utility. Now, the iproute package includes rdmatool.

RHEL 9 does not contain the legacy network scripts

RHEL 9 does not contain the network-scripts package that provided the deprecated legacy network scripts in RHEL 8. To configure network connections in RHEL 9, use NetworkManager. For details, see the Configuring and managing networking documentation.

The unsupported xt_u32 Netfilter module has been removed

RHEL 8 contained the unsupported xt_u32 module, which enabled iptables users to match arbitrary 32 bits in the packet header or payload. This module has been removed from RHEL 9. As a replacement, use the nftables packet filtering framework. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) man page.

Data Encryption Standard (DES) algorithm is not available for net-snmp communication in Red Hat Enterprise Linux 9

In previous versions of RHEL, DES was used as an encryption algorithm for secure communication between net-snmp clients and servers. In RHEL 9, the DES algorithm isn’t supported by the OpenSSL library. The algorithm is marked as insecure and hence the DES support for net-snmp has been removed.