1. Release Notes for Oracle Linux 9.4
  2. New Features and Changes
  3. Networking

Networking

The following features, enhancements, and changes related to networking are introduced in this Oracle Linux 9 release.

nmstate Includes a priority Bond Property

You can set priority of bond ports through the priority property in the ports-config section of an nmstate framework configuration file. Example YAML file content might look as follows: 

---
interfaces:
- name: bond99
  type: bond
  state: up
  link-aggregation:
    mode: active-backup
    ports-config:
    - name: eth2
      priority: 15

When an active port within the bonded interface is down, the Oracle Linux kernel re-elects the next active port with the highest numerical value in the priority property, from the pool of all backup ports.

The priority property is relevant for the following modes of the bond interface:

  • active-backup

  • balance-tlb

  • balance-alb

nmstate Attributes Available for VLAN Interfaces

The nmstate framework is updated to introduce new VLAN configuration attributes:

  • registration-protocol: VLAN Registration Protocol. Values can be set to:
    • gvrp (GARP VLAN Registration Protocol)
    • mvrp (Multiple VLAN Registration Protocol)
    • none

    reorder-headers: a Boolean attribute to control whether output packet headers are reordered.

  • loose-binding: a Boolean attribute to control loose binding of the interface to the operating state of its primary device.

A configuration entry might look similar to the following:

---
interfaces:
  - name: eth1.101
    type: vlan
    state: up
    vlan:
      base-iface: eth1
      id: 101
      registration-protocol: mvrp
      loose-binding: true
      reorder-headers: true

nmstate Can Configure MACsec Interfaces

The nmstate framework is updated so that you can configure MACsec interfaces to protect their communication on Layer 2 of the Open Systems Interconnection (OSI) model, removing any requirement to encrypt individual services later on Layer 7.

nmstate Can Configure IPSec Interfaces

The nmstate framework is updated so that you can configure IPSec VPN interfaces by using the underlying Libreswan utility. You can configure a selection of Libreswan VPN network layouts, and authentication types with either tunnel (default) or transport configuration modes. See https://nmstate.io/features/ipsec.html for more information.

nmstate YAML file to Revert Network Changes

To change the network configuration, you can create a YAML network configuration file with new network configuration settings. Before you apply this configuration file, you can use Use Nmstate to create a reversion file that identifies the differences between the new configuration and the current configuration. You can apply this reversion file in case the new configuration file causes any problems.

To revert the settings to the previous settings, do the following:
  1. Create a YAML file with the new network configuration. For example, new_network_config.yml.
  2. Create a revert configuration file that contains the differences between intended settings in new_network_config.yml and the current state. For example, run the following command: 
    nmstatectl gr new_network_config.yml revert.yml
  3. Apply the configuration from new_network_config.yml.
  4. If you want now to switch back to the previous state, apply the revert.yml file.

If you use the Nmstate API to create a revert configuration, you can also use the NetworkState::generate_revert(current) call to perform the reversion.

netfilter Update

With the update to RHCK to version 5.14.0-405 in Oracle Linux 9, several updates to the netfilter component of the Oracle Linux kernel are now available. This update enables the nftables subsystem to match various inner header fields of tunnel packets for more granular and effective control over network traffic.

firewalld Updated Handling of iptables Configuration

The firewalld service is updated so that it doesn't remove all existing rules from the iptables configuration if both following conditions are met:

  • firewalld is using the nftables back end.

  • No firewall rules were created with the --direct option.

Unnecessary operations, such as firewall rule flushes, are avoided to improve performance. Integration with other software that might use iptables configuration is also improved.

nft Resets nftables rule-contained states

nft reset resets nftables rule-contained states. For example, you can reset counter and quota statement values.

NetworkManager Includes an Option To Disable Sending a client-identifier

You can now set ipv4.dhcp-client-id connection property to none to disable sending the client identifier for DHCP server configurations that might require that a client doesn't sent a client identifier. Note that setting this option is normally not recommended. When this option isn't configured, a globally configured default from NetworkManager.conf is used. If no configuration for the client-identifier is found in NetworkManager.conf, the client identifier value depends on the DHCP client in use.

ss utility Improved Visibility of TCP Bound-Inactive Sockets

The socket services ss utility now supports kernel dumps of TCP bound-inactive sockets. TCP bound-inactive sockets are attached to an IP address and a port number but neither connected nor listening on TCP ports.

To dump all sockets including TCP bound-inactive use the following command: 
ss --all
To dump only bound-inactive sockets use the following command: 
ss --bound-inactive

iptables Updated to Version 1.8.10

iptables is updated to version 1.8.10, with several upstream bug fixes and enhancements.

nftables Updated to Version 1.0.9

nftables is updated to version 1.0.9, with several upstream bug fixes and enhancements.

firewalld Updated to Version 1.3

The firewalld package is updated to version 1.3, with several upstream bug fixes and enhancements.