Chapter 18. Networking

WireGuard VPN is available as a Technology Preview

WireGuard, which Red Hat provides as an unsupported Technology Preview, is a high-performance VPN solution that runs in the Linux kernel. It uses modern cryptography and is easier to configure than other VPN solutions. Additionally, the small code-basis of WireGuard reduces the surface for attacks and, therefore, improves the security.

The PRP and HSR protocols are available as a Technology Preview

Starting with RHEL 9.3, the hsr kernel module is available as an unsupported Technology Preview. The module provides the following protocols:

Segment Routing over IPv6 (SRv6) is available as a Technology Preview

The RHEL 9.3 kernel provides Segment Routing over IPv6 (SRv6) as an unsupported Technology Preview. You can use this functionality to optimize traffic flows in edge computing or to improve network programmability in data centers. However, the most significant use case is the end-to-end (E2E) network slicing in 5G deployment scenarios. In that area, the SRv6 protocol provides you with the programmable custom network slices and resource reservations to address network requirements for specific applications or services. At the same time, the solution can be deployed on a single-purpose appliance, and it satisfies the need for a smaller computational footprint.

NetworkManager and the Nmstate API support MACsec hardware offload

You can use both NetworkManager and the Nmstate API to enable MACsec hardware offload if the hardware supports this feature. As a result, you can offload MACsec operations, such as encryption, from the CPU to the network interface card.

Network teams are deprecated

The teamd service and the libteam library are deprecated in Red Hat Enterprise Linux 9 and will be removed in the next major release. As a replacement, configure a bond instead of a network team.

NetworkManager stores new network configurations in a key file format

Previously, NetworkManager stored new network configurations to /etc/sysconfig/network-scripts/ in the ifcfg format. Starting with RHEL 9.0, RHEL stores new network configurations at /etc/NetworkManager/system-connections/ in a key file format. The connections for which the configurations are stored to /etc/sysconfig/network-scripts/ in the old format still work uninterrupted. Modifications in existing profiles continue updating the older files.

The WEP Wi-Fi connection method has been removed

The insecure wired equivalent privacy (WEP) Wi-Fi connection method has been removed from RHEL 9. For secure Wi-Fi connections, use the Wi-Fi Protected Access 3 (WPA3) or WPA2 connection methods.

dhclient in NetworkManager is now deprecated

Instead of the default internal DHCP library, NetworkManager in RHEL 9 can be configured to use a DHCP client from the dhclient package. The option to use dhclient is now deprecated and results in a warning displayed at the NetworkManager startup. We recommend that you switch to the internal DHCP library. In RHEL 10, dhclient is no longer available and the applications configured to use dhclient now use the internal DHCP library instead.

The mptcpd service is available

With this update the mptcpd service is available for usage. It is a user space based MPTCP path manager with integrated mptcpize tool.

The ipset and iptables-nft packages have been deprecated

The ipset and iptables-nft packages have been deprecated in RHEL. The iptables-nft package contains different tools such as iptables, ip6tables, ebtables and arptables. These tools will no longer receive new features and using them for new deployments is not recommended. As a replacement, it is recommended to use the nft command line tool provided by the nftables package. Existing setups should migrate to nft when possible.

The unsupported xt_u32 Netfilter module has been removed

RHEL 8 contained the unsupported xt_u32 module, which enabled iptables users to match arbitrary 32 bits in the packet header or payload. This module has been removed from RHEL 9. As a replacement, use the nftables packet filtering framework. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) man page on your system.

The ibdev2netdev script has been removed from RHEL 9

ibdev2netdev was a helper utility that was able to display all the associations between network devices and Remote Direct Memory Access (RDMA) adapter ports. Previously, Red Hat was including ibdev2netdev in the rdma-core package. From Red Hat Enterprise Linux 9, ibdev2netdev has been removed and replaced by the rdmatool utility. Now, the iproute package includes rdmatool.

RHEL 9 does not contain the legacy network scripts

RHEL 9 does not contain the network-scripts package that provided the deprecated legacy network scripts in RHEL 8. To configure network connections in RHEL 9, use NetworkManager. For details, see the Configuring and managing networking documentation.

The unsupported xt_u32 Netfilter module has been removed

RHEL 8 contained the unsupported xt_u32 module, which enabled iptables users to match arbitrary 32 bits in the packet header or payload. This module has been removed from RHEL 9. As a replacement, use the nftables packet filtering framework. If no native match exists in nftables, use the raw payload matching feature of nftables. For details, see the raw payload expression section in the nft(8) man page on your system.

Data Encryption Standard (DES) algorithm is not available for net-snmp communication in Red Hat Enterprise Linux 9

In previous versions of RHEL, DES was used as an encryption algorithm for secure communication between net-snmp clients and servers. In RHEL 9, the DES algorithm isn’t supported by the OpenSSL library. The algorithm is marked as insecure and hence the DES support for net-snmp has been removed.