Networking
The following features, enhancements, and changes related to networking are introduced in this Oracle Linux 9 release.
nmstate
Includes a priority
Bond Property
You can set priority of bond ports through the priority
property in the
ports-config
section of an nmstate
framework configuration
file. Example YAML file content might look as follows:
---
interfaces:
- name: bond99
type: bond
state: up
link-aggregation:
mode: active-backup
ports-config:
- name: eth2
priority: 15
When an active port within the bonded interface is down, the Oracle Linux kernel re-elects
the next active port with the highest numerical value in the priority
property, from the pool of all backup ports.
The priority
property is relevant for the following modes of the bond
interface:
-
active-backup
-
balance-tlb
-
balance-alb
nmstate
Attributes Available for VLAN Interfaces
The nmstate
framework is updated to introduce new VLAN configuration
attributes:
-
registration-protocol
: VLAN Registration Protocol. Values can be set to:gvrp
(GARP VLAN Registration Protocol)mvrp
(Multiple VLAN Registration Protocol)none
reorder-headers
: a Boolean attribute to control whether output packet headers are reordered. -
loose-binding
: a Boolean attribute to control loose binding of the interface to the operating state of its primary device.
A configuration entry might look similar to the following:
---
interfaces:
- name: eth1.101
type: vlan
state: up
vlan:
base-iface: eth1
id: 101
registration-protocol: mvrp
loose-binding: true
reorder-headers: true
nmstate
Can Configure MACsec Interfaces
The nmstate
framework is updated so that you can configure MACsec interfaces
to protect their communication on Layer 2 of the Open Systems Interconnection (OSI) model,
removing any requirement to encrypt individual services later on Layer 7.
nmstate
Can Configure IPSec Interfaces
The nmstate
framework is updated so that you can configure IPSec VPN
interfaces by using the underlying Libreswan utility. You can configure a selection of
Libreswan VPN network layouts, and authentication types with either tunnel (default) or
transport configuration modes. See https://nmstate.io/features/ipsec.html for more information.
nmstate
YAML file to Revert Network Changes
To change the network configuration, you can create a YAML network configuration file
with new network configuration settings. Before you apply this configuration file, you
can use Use Nmstate
to create a reversion file that identifies the
differences between the new configuration and the current configuration. You can apply
this reversion file in case the new configuration file causes any problems.
- Create a YAML file with the new network configuration. For example,
new_network_config.yml
. - Create a revert configuration file that contains the differences between
intended settings in
new_network_config.yml
and the current state. For example, run the following command:nmstatectl gr new_network_config.yml revert.yml
- Apply the configuration from
new_network_config.yml
. - If you want now to switch back to the previous state, apply the
revert.yml
file.
If you use the Nmstate API to create a revert configuration, you can also use the
NetworkState::generate_revert(current)
call to perform the
reversion.
netfilter
Update
With the update to
RHCK to version 5.14.0-405 in Oracle Linux 9, several updates to the
netfilter
component of the Oracle Linux kernel are now available. This
update enables the nftables
subsystem to match various inner header fields of
tunnel packets for more granular and effective control over network traffic.
firewalld
Updated Handling of iptables
Configuration
The
firewalld
service is updated so that it doesn't remove all existing rules
from the iptables
configuration if both following conditions are met:
-
firewalld
is using thenftables
back end. -
No firewall rules were created with the
--direct
option.
Unnecessary operations, such as firewall rule flushes, are avoided to improve performance.
Integration with other software that might use iptables
configuration is also
improved.
nft
Resets nftables
rule-contained states
nft reset
resets nftables
rule-contained states. For
example, you can reset counter and quota statement values.
NetworkManager Includes an Option To Disable Sending a
client-identifier
You can now set ipv4.dhcp-client-id
connection property to
none
to disable sending the client identifier for DHCP server
configurations that might require that a client doesn't sent a client identifier. Note
that setting this option is normally not recommended. When this option isn't configured,
a globally configured default from NetworkManager.conf is used. If no configuration for
the client-identifier
is found in NetworkManager.conf, the client
identifier value depends on the DHCP client in use.
ss
utility Improved Visibility of TCP Bound-Inactive Sockets
The socket services ss
utility now supports kernel dumps of TCP
bound-inactive sockets. TCP bound-inactive sockets are attached to an IP address and a
port number but neither connected nor listening on TCP ports.
ss --all
ss --bound-inactive
iptables
Updated to Version 1.8.10
iptables
is
updated to version 1.8.10, with several upstream bug fixes and enhancements.