Networking
The following features, enhancements, and changes related to networking are introduced in this Oracle Linux 10 release.
Enable Duplicate Address Detection for IPv4 in NetworkManager
The Duplicate Address Detection (DAD) is enabled ensuring that each IP address within a
network is unique when configuring a new IP address. The NetworkManager
ipv4.dad-timeout parameter is set to 200ms by
default. This parameter controls the duration for which the DAD check runs.
xdp-tools Released at Version 1.5.1
The xdp-tools package is released at version 1.5.1, which includes various
enhancements and bug fixes.
nftables Released at Versions 1.1.1
The nftables framework includes changes from upstream versions 1.1.0 and 1.1.1, bringing several bug fixes and enhancements. This update introduces several notable changes, including JSON format for many devices and improved performance when listing tables.
The update also adds virtual local area network (VLAN) ID match and set support, encompassing the 802.1ad (Q-in-Q) standard. It also provides zero burst in byte rate limiter and egress for list hooks. Furthermore, the update addresses listing inconsistencies in the nft list hooks command.
For a comprehensive understanding of the changes and enhancements, see the upstream release notes for versions 1.1.0 and 1.1.1, available at https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.0.txt and https://www.netfilter.org/projects/nftables/files/changes-nftables-1.1.1.txt.
iptables Released at Version 1.8.11
The iptables framework is upgraded to version 1.8.11 providing several bug fixes and enhancements.
firewalld Released at Version 2.3.0
The firewalld service is released at version 2.3.0, introducing
several enhancements. A notable addition is the StrictForwardPorts
configuration option, which allows firewalld to be more restrictive
about Destination NAT traffic when enabled. With this option set to
yes, only explicitly enabled forward ports are allowed, blocking
container-published ports.
The update also expands support for various services, including the Advanced Linux Sound Architecture (ALSA) sequencer (aseqnet) for client/server, Music Player Daemon (MPD), Radsec, and SlimeVR. For a comprehensive overview of the release updates, see the upstream repository at https://github.com/firewalld/firewalld/releases/tag/v2.3.0.
The Kernel Provides the netkit Network Device Type
The kernel is enhanced with the netkit network device type for
high-performance networking in containers using Berkeley Packet Filter (BPF). This
improvement is expected to boost the efficiency, scalability, and responsiveness of
containerized applications that use a Container Network Interface (CNI) compatible with
the netkit network device type, making it beneficial for cloud environments and
high-throughput systems.
nmstate Includes the require-id-on-certificate Setting
for Libreswan Configuration
The nmstate API now includes the
require-id-on-certificate setting for Libreswan VPN configurations.
This feature enables users to configure Subject Alternative Name (SAN) validation for
IPsec connections, enhancing the security of VPN connections.
Automatic Reset for Problematic SR-IOV Virtual Functions in i40e
Driver for RHCK
The Intel Network Adapter Driver for PCIe 40 Gigabit Ethernet, i40e, provided with RHCK, is
enhanced to automatically reset problematic Single Root I/O Virtualization (SR-IOV) virtual
functions (VFs) when a malicious driver detection (MDD) event is detected. This feature
disables Tx/Rx queues or drops the offending packet until a VF driver reset occurs, thereby
helping to prevent network disruptions caused by malfunctioning or malicious VFs.
The automatic reset is controlled by setting the mdd-auto-reset-vf option
for the ethernet device, for example:
sudo ethtool --set-priv-flags eth0 *mdd-auto-reset-vf* on