Networking

Enable Duplicate Address Detection for IPv4 in NetworkManager

The Duplicate Address Detection (DAD) is enabled ensuring that each IP address within a network is unique when configuring a new IP address. The NetworkManager ipv4.dad-timeout parameter is set to 200ms by default. This parameter controls the duration for which the DAD check runs.

`xdp-tools` Released at Version 1.5.1

The xdp-tools package is released at version 1.5.1, which includes various enhancements and bug fixes.

`nftables` Released at Versions 1.1.1

The nftables framework includes changes from upstream versions 1.1.0 and 1.1.1, bringing several bug fixes and enhancements. This update introduces several notable changes, including JSON format for many devices and improved performance when listing tables.

The update also adds virtual local area network (VLAN) ID match and set support, encompassing the 802.1ad (Q-in-Q) standard. It also provides zero burst in byte rate limiter and egress for list hooks. Furthermore, the update addresses listing inconsistencies in the nft list hooks command.

For a comprehensive understanding of the changes and enhancements, see the upstream release notes for versions 1.1.0 and 1.1.1, available at https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt and https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.1.txt.

`iptables` Released at Version 1.8.11

The iptables framework is upgraded to version 1.8.11 providing several bug fixes and enhancements.

`firewalld` Released at Version 2.3.0

The firewalld service is released at version 2.3.0, introducing several enhancements. A notable addition is the StrictForwardPorts configuration option, which allows firewalld to be more restrictive about Destination NAT traffic when enabled. With this option set to yes, only explicitly enabled forward ports are allowed, blocking container-published ports.

The update also expands support for various services, including the Advanced Linux Sound Architecture (ALSA) sequencer (aseqnet) for client/server, Music Player Daemon (MPD), Radsec, and SlimeVR. For a comprehensive overview of the release updates, see the upstream repository at https://github.com/firewalld/firewalld/releases/tag/v2.3.0.

`nmstate` Includes the `require-id-on-certificate` Setting for Libreswan Configuration

The nmstate API now includes the require-id-on-certificate setting for Libreswan VPN configurations. This feature enables users to configure Subject Alternative Name (SAN) validation for IPsec connections, enhancing the security of VPN connections.

Automatic Reset for Problematic SR-IOV Virtual Functions in `i40e` Driver for RHCK

The Intel Network Adapter Driver for PCIe 40 Gigabit Ethernet, i40e, provided with RHCK, is enhanced to automatically reset problematic Single Root I/O Virtualization (SR-IOV) virtual functions (VFs) when a malicious driver detection (MDD) event is detected. This feature disables Tx/Rx queues or drops the offending packet until a VF driver reset occurs, thereby helping to prevent network disruptions caused by malfunctioning or malicious VFs.

The automatic reset is controlled by setting the mdd-auto-reset-vf option for the ethernet device, for example:

sudo ethtool --set-priv-flags eth0 *mdd-auto-reset-vf* on

Networking

Enable Duplicate Address Detection for IPv4 in NetworkManager

xdp-tools Released at Version 1.5.1

nftables Released at Versions 1.1.1

iptables Released at Version 1.8.11

firewalld Released at Version 2.3.0

nmstate Includes the require-id-on-certificate Setting for Libreswan Configuration

Automatic Reset for Problematic SR-IOV Virtual Functions in i40e Driver for RHCK