NetworkManager big update

From RHEL 7.2 to RHEL 7.3, NetworkManager moved from v1.0.6 to v1.4.0: a lot of things have changed.

Color is everywhere!



NetworkManager now uses colors to match the status of a device or a connection and sorts the output for better clarity.

Simplicity



Invoking nmcli without argument displays all the network interfaces with an ifconfig style.

Also, connection add syntax is now consistent with connection modify.

Clever completion

When asking for completion, NetworkManager doesn’t propose inappropriate argument anymore: here the connection called Hotspot can’t be chosen because already inactive.

# nmcli con down [tab] apath id path virbr0 vlan40 help Internet uuid vlan30

Flexibility

You need a bridge over VLAN? Software devices (bond, bridge, vlan, team, …) can now be stacked arbitrarily. The nmcli interface for creating master-slave relationships has been significantly improved by the use of ‘master’ argument to all link types.

IPv6 security improvements

IPv6 connection properties have been added like:

ipv6.addr-gen-mode : the stable privacy addressing is a tracking prevention mechanism implementing the RFC7217 (more details here ); when enabled the property takes stable-privacy as value and eui64 when disabled,

: the is a tracking prevention mechanism implementing the RFC7217 (more details ); when enabled the property takes as value and when disabled, ipv6.ip6-privacy: the privacy extension is a way to randomize MAC address as defined by the RFC4941 (more details here and here); when enabled the property takes 1 and 0 otherwise.

Wi-Fi improvements

Better security: several options have been added concerning the exposed MAC address of a Wi-Fi device during the scanning phase and after (see details here).

The 802-11-wireless.cloned-mac-address property can now receive the following values: A MAC address : this was already supported before 1.4.0 and allows to spoof a specific MAC address. permanent: use the permanent MAC address of the device. Before 1.4.0 , the permanent MAC address was used if the cloned-mac-address property was left empty, thus it was the default. In 1.4.0 , it is still the default. preserve : don’t change the MAC address of the device upon activation. random : generate a randomized value upon each connect. stable : generate a stable, hashed MAC address.

address of a device during the scanning phase and after (see details here). The property can now receive the following values: Better Wi-Fi scanning: with recent versions of wpa_supplicant , NetworkManager scanning behavior has been improved (see details here).

, scanning behavior has been improved (see details here). Wi-Fi power saving: Wi-Fi power saving can now be enabled globally or on a per-connection basis.

Various improvements

Support for more devices: NetworkManager can now manage tun, tap, macvlan, vxlan and IP tunnel devices.

can now manage tun, tap, macvlan, vxlan and IP tunnel devices. More flexible VPN support: Many previous VPN restrictions have been removed. You can now import and export the VPN connection settings of most types of VPNs in the VPN’s native format using the nmcli connection export and nmcli connection import commands.

and commands. Compatibility with namespace-based containers: NetworkManager now runs fine in LXC and Docker .

now runs fine in and . Hostname management: hostname is now managed via systemd-hostnamed .

. DHCP: timeout for DHCP requests can now be modified using the ipv4.dhcp-timeout property.

property. IPv4: support for detecting duplicate IPv4 addresses, with a timeout configurable through the ipv4.dad-timeout connection property, is now available.

connection property, is now available. Rollback: API for using configuration snapshots that automatically roll back after a timeout has been added. A remote network configuration tools like Cockpit can use this new feature to avoid situations where a mistake in the configuration makes the remote host unreachable.

can use this new feature to avoid situations where a mistake in the configuration makes the remote host unreachable. DNS client: A new dns-priority property of ipv4 and ipv6 settings can be used to tweak the order of servers in resolv.conf . This will make things easier for users who often use multiple active connections.

property of ipv4 and ipv6 settings can be used to tweak the order of servers in . This will make things easier for users who often use multiple active connections. Bandwidth monitoring: RX/TX counters of transferred bytes per interface are now exposed on D-Bus. With this, client applications can monitor the bandwidth.

There are still other improvements but they are too many to be all listed here!

Sources:

Additional Resources

You can also read this Red Hat Article about setting up MACsec using wpa_supplicant and NetworkManager.

Support for OpenVSwitch bridge, bond and VLAN has been added to NetworkManager but is still not integrated in the RHEL 7.4 release.

In addition, you can read some elements of History of NetworkManager in RHEL/CentOS.

Since then, NetworkManager 1.16 has been released. You can get the change log here.