Red Hat SummitChapter 13. Networking
Error handling in the output of the dhcp-script has been improved
Previously, any error in the output of the
dhcp-script was ignored. With this update the output of the script is logged on the add, old, del, arp-add, arp-del, tftp actions. As a result, errors are displayed while dnsmasq is running.
Note that the lease-init action happens only at a start of
Dnsmasq. With this update, only a summary of the output is logged and not the standard error output, which passes to the systemd service for logging. (BZ#1188259)
Network namespace isolation has been added to ipset
Previously,
ipset entries were visible and could be modified by any network namespace. This update provides ipset with isolation per network namespace. As a result, ipset configuration is separated for each namespace. (BZ#1226051)
NetworkManager now supports multiple routing tables to enable source routing
This update adds a new
table attribute for IPv4 and IPv6 routes which can be configured manually by the user. For each manual static route, a routing table can be selected. As a result, configuring the table of a route has the effect of configuring the route in that table. Additionally, the default routing table of a connection profile can be configured via the new ipv4.route-table and ipv6.route-table settings for IPv4 and IPv6 respectively. These settings determine in which table the routes are placed, except manual routes that explicitly overwrite this setting. (BZ#1436531)
nftables rebased to version 0.8
The nftables packages have been upgraded to version 0.8, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Support hashing of any arbitrary key combination has been added.
- Support to set non-byte bound packet header fields, including checksum adjustment has been added.
- Variable reference for set element definitions and variable definitions from element commands can now be used.
- Support to flush set has been added.
- Support for logging flags has been added.
- Support for
tc classidparser has been added. - Endianness problems with link layer address have been solved.
- Parser to keep map flag around on definition has been fixed.
- The time datatype now uses milliseconds, as the kernel expects. (BZ#1472261)
Persistent DHCP client behavior added to NetworkManager
With this update, the
ipv4.dhcp-timeout property can be set to either the maximum for a 32-bit integer (MAXINT32) value or to the infinity value. As a result, NetworkManager never stops trying to get or renew a lease from a DHCP server until it is successful. (BZ#1350830)
NetworkManager exposes new properties to expose team options
Previously,
NetworkManager applied team configuration to connections providing a JSON string to the config property, which was the only property available in the team setting. This update adds new properties in NetworkManager matching one to one the team configuration options. As a result, the configuration may be provided either through a unique JSON string in the NetworkManager config property or assigning values to the new team properties. Any configuration change applied in config is reflected to the new team properties and vice versa. The correct configuration of team link-watchers and team.runner is now enforced in NetworkManager. Wrong or unknown link-watcher and team.runner configurations result in the full team connection being rejected.
Note that when changing the brand new
runner property, all the properties related to specific runners are reset to default. (BZ#1398925)
Packets mark is now reflected on replies
Previously, when receiving a connection request on a closed port, an error packet was sent back to the client. When the incoming connection was marked with some firewall rules, the generated error message did not have this mark because this functionality was not implemented in the kernel. With this update, the generated error message has the same marking as the incoming packet that tried to initiate the connection. (BZ#1469857)
New Socket timestamping options for NTP
This update adds the
SOF_TIMESTAMPING_OPT_PKTINFO and SOF_TIMESTAMPING_OPT_TX_SWHW socket timestamping options for hardware timestamping with bonding and other virtual interfaces in Network Time Protocol (NTP) implementations, such as chrony. (BZ#1421164)
iproute2 rebased to version 4.11.0
The iproute2 package has been upgraded to upstream version 4.11.0, which provides a number of bug fixes and enhancements. Notably, the
ip tool includes:
- Support for JSON output to various commands has been added.
- Support for more interface type attributes has been added.
- Support for colored output has been added.
- Support for the
label,devoptions and theruleobjects inip-monitorstate. - Support for selectors in the
ip-rulecommand has been added.
Additionally, notable improvements for the
tc utility include:
- Support for the bash-completion function for
tc. - The
vlanaction intchas been introduced. - The extended mode in the
peditaction has been introduced. - Stream Control Transmission Protocol (SCTP) support in the
csumaction has been added.
For other tools:
- Support for extended statistics in the
lnstattool has been added. - Support for
SCTPin thenstatutility has been added. (BZ#1435647)
The tc-pedit action now supports offset relative to Layer 2 and Layer 4
The
tc-pedit action allows modification of packet data. This update adds support for specifying the offset options relative to the Layer 2, 3 and 4 headers to tc-pedit. This makes pedit header handling more robust and flexible. As a result, editing Ethernet header is more convenient and accessing the Layer 4 header works independently to the Layer 3 header size. (BZ#1468280)
Features backported to iproute
A number of enhancements have been backported to the iproute package. Notable changes include:
- Pipeline debug support has been added to the devlink tool via the
dpipesubcommand. - Hardware offload status is now available in the tc filter, indicated by the
in_hwornot_in_hwflags. - Support for IPv6 in the tc pedit action has been added.
- Setting and retrieving eswitch encapsulation support has been added to the devlink tool.
- Matching capabilities of the tc flower filter have been enhanced:
- Support for matching on TCP flags.
- Support for matching on the type-of-service (ToS) and the time-to-live (TTL) fields in the IP header.
(BZ#1456539)
The Geneve driver rebased to version 4.12
The Geneve driver has been updated to version 4.12, which provides several bug fixes and enhancements for Open vSwitch (OVS) or Open Virtual Network (OVN) deployments using Geneve tunneling. (BZ#1467288)
A control switch added for VXLAN and GENEVE offloading
This update adds a new control switch to the
ethtool utility to enable or disable offloading of the VXLAN and GENEVE tunnels to network cards. This enhancement enables easier debugging of issues with the VXLAN or GENEVE tunnels. In addition, you can resolve issues caused by offloading these types of tunnels to network cards by using ethtool to disable the feature. (BZ#1308630)
unbound rebased to version 1.6.6
The unbound packages have been rebased to upstream version 1.6.6, which provides a number of bug fixes and enhancements over the previous version. Notable changes are as follows:
- DNS Query Name (QNAME) minimisation according to RFC 7816 has been implemented.
- A new
max-udp-sizeconfiguration option has been added; its default value is4096. - A new
DNS64module and a newdns64-prefixoption have been added. - New
insecure_addandinsecure_removecommands have been added to theunbound-controlutility for administration of negative trust anchors. - The
unbound-controlutility is now capable of bulk addition and removal of local zones and local data. To perform these actions, use thelocal_zones,local_zones_remove,local_datas, andlocal_datas_removecommands. - The
libldnsis no longer a dependency oflibunboundand will not be installed with it. - A new
so-reuseport:option is now available for distributing queries evenly over threads on Linux. - New Resource Record types have been added:
CDS,CDNSKEY,URI(according to RFC 7553),CSYNC, andOPENPGPKEY. - New
local-zonetypes have been added:informto log a message with a client IP andinform_denyto log a query and drop the answer to it. - Remote control over local sockets is now available; use the
control-interface: /path/sockandcontrol-use-cert: nocommands. - A new
ip-transparent:configuration option has been added for binding to non-local IP addresses. - A new
ip-freebind:configuration option has been added for binding to an IP address while the interface or address is down. - A new
harden-algo-downgrade:configuration option has been added. - The following domains are now blocked by default:
onion(according to RFC 7686),test, andinvalid(according to RFC 6761). - A user-defined pluggable event API for the
libunboundlibrary has been added. - To set the working directory for
Unbound, either use thedirectory: dirwith theinclude: filestatement in theunbound.conffile, which ensures that the includes are relative to the directory, or use thechrootcommand with an absolute path. - Fine-grained localzone control has been implemented with the following options:
define-tag,access-control-tag,access-control-tag-action,access-control-tag-data,local-zone-tag, andlocal-zone-override. - A new
outgoing-interface: netblock/64IPv6 option has been added to use Linux freebind feature for every query with a random 64-bit local part. - Logging of DNS replies has been added, which is similar to query logs.
- Trust anchor signaling has been implemented that uses key tag query and
trustanchor.unbound CH TXTqueries. - Extension mechanisms for DNS (EDNS) Client subnet has been iplemented.
ipsecmod, an opportunistic IPsec support module, has been implemented. (BZ#1251440)
DHCP now supports standard dynamic DNS updates
With this update, the DHCP server allows updating DNS records by using a standard protocol. As a result, DHCP supports standard dynamic DNS updates as described in RFC 2136: https://tools.ietf.org/html/rfc2136. (BZ#1394727)
DDNS now supports additional algorithms
Previously, the
dhcpd daemon supported only the HMAC-MD5 hashing algorithm which is considered insecure for critical applications. As a consequence, the Dynamic DNS (DDNS) updates were potentially insecure. This update adds support for additional algorithms: HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. (BZ#1396985)
IPTABLES_SYSCTL_LOAD_LIST now supports the sysctl.d files
The
sysctl settings in IPTABLES_SYSCTL_LOAD_LIST are reloaded by the iptables init script when the iptables service is restarted. The modified settings were previously searched only in the /etc/sysctl.conf file. This update adds support for searching these modifications in the /etc/sysctl.d/ directory as well. As a result, the user-provided files in /etc/sysctl.d/ are now correctly taken into account when the iptables service is restarted. (BZ#1402021)
SCTP now supports MSG_MORE
The
MSG_MORE flag is set to buffer small pieces of data until a full packet is ready for transmission or until a call is performed that does not specify this flag. This update adds support for MSG_MORE on the Stream Control Transmission Protocol (SCTP). As a result, small data chunks can be buffered and sent as a full packet. (BZ#1409365)
MACsec rebased to version 4.13
The
Media Access Control Security (MACsec) driver has been upgraded to upstream version 4.13, which provides a number of bug fixes and enhancements over the previous version. Notable enhancements include:
Generic Receive Offload (GRO)andReceive Packet Steering (RPS)are enabled onMACsecdevices.- The
MODULE_ALIAS_GENL_FAMILYmodule has been added. This helps tools such aswpa_supplicantto start even if the module is not loaded yet. (BZ#1467335)
Enhanced performance when using the mlx5 driver in Open vSwitch
The Open vSwitch (OVS) application enables Virtual Machines to communicate with each other and the physical network. OVS resides in the hypervisor and switching is based on twelve tuple matching on flows. However, the OVS software-based solution is very CPU-intensive. This affects the system performance and prevents using the fully available bandwidth.
With this update, the
mlx5 driver for Mellanox ConnectX-4, ConnectX-4 Lx, and ConnectX-5 adapters can offload OVS. The Mellanox Accelerated Switching And Packet Processing (ASAP2) Direct technology enables offloading OVS by handling the OVS data-plane in Mellanox ConnectX-4 and later network interface cards with Mellanox Embedded Switch or eSwitch, while maintaining an unmodified OVS control-plane. As a result, the OVS performance is significantly higher and less CPU-intensive.
The current actions supported by ASAP2 Direct include packet parsing and matching, forward, drop along with VLAN push/pop, or VXLAN encapsulation and decapsulation. (BZ#1456687)
The Netronome NFP Ethernet driver now supports the representor netdev feature
This update backports the
representor netdev feature for the Netronome NFP Ethernet driver to Red Hat Enterprise Linux 7.5. This enhancement enables the driver:
- To receive and transmit fallback traffic
- To be used in Open vSwitch
- To support programming flows to the NFP hardware by using the TC-Flower utility (BZ#1454745)
Support for offloading TC-Flower actions
This update adds support for offloading the
TC-Flower classifier and actions related to offloading of Open vSwitch. This allows acceleration of Open vSwitch using Netronome SmartNICs. (BZ#1468286)
DNS stub resolver improvements
The DNS stub resolver in the
glibc package has been updated to the upstream glibc version 2.26. Notable improvements and bug fixes include:
- Changes to the
/etc/resolv.conffile are now automatically recognized and applied to running programs. To restore the previous behavior, add theno-reloadoption to theoptionsline in/etc/resolv.conf. Note that depending on system configuration, the/etc/resolv.conffile might be automatically overwritten as part of the configuration of the networking subsystem, removing theno-reloadoption. - The previous limit of six search domain entries is removed. You can now specify any number of domains with the
searchdirective in/etc/resolv.conf. Note that additional entries may add significant overhead to DNS processing; consider running a local caching resolver if the number of entries exceeds three. - The handling of various boundary conditions in the
getaddrinfo()function is fixed. Very long lines in the/etc/hostsfile (including comments) no longer affect lookup results from other lines. Unexpected terminations related to stack exhaustion on systems with certain/etc/hostsconfiguration no longer occur. - Previously, when the
rotateoption was enabled in/etc/resolv.conf, the first DNS query of a new process was always sent to the second name server configured in the name server list in/etc/resolv.conf. This behavior has been changed, and the first DNS query now randomly selects a name server from the list. Subsequent queries rotate through the available name servers, as before. (BZ#677316, BZ#1432085, BZ#1257639, BZ#1452034, BZ#1329674)
