Oracle Linux 10 Network Enhancements: A Deep Dive into Next-Generation Enterprise Networking

Oracle Linux 10 Network Enhancements — Complete Step-by-Step Guide

📅 June 20, 2026
🏷️ Oracle Linux10 · New Features · OCI⏱ 20+ min read

📌 Article OverviewThis guide covers Oracle Linux 10's networking stack end-to-end — NetworkManager-only configuration, the move from iptables to nftables, eBPF/XDP observability, SR-IOV, IPv6, bonding, container networking, and kernel/TLS tuning — with the actual commands and sample output validated in a lab UEK7 environment. Each section maps back to a real workload: Oracle Database, Oracle RAC, Oracle E-Business Suite, OLVM/KVM, and OKE.

Table of Contents

1. Introduction
2. Lab Environment
3. NetworkManager — Mandatory Configuration
4. Policy-Based Routing
5. nftables Replaces iptables
6. eBPF and bpftool
7. XDP — Express Data Path
8. IPv6 Dual-Stack
9. SR-IOV for OLVM/KVM
10. Bonding and High Availability
11. Container Networking
12. Traffic Control (tc)
13. TLS and Kernel Tuning
14. Diagnostics Toolbox
15. Troubleshooting
16. Summary & Next Steps

🔧 Requirements

Oracle Linux 10.0UEK7 (6.12.x)NetworkManager 1.50+firewalld / nftablesbpftool / bpftracePodman 5.xroot or sudo

1.Introduction

Oracle Linux 10 ships a noticeably different networking stack than OL8/OL9 — iptables is gone from the default install, NetworkManager is now the only supported way to configure interfaces, and eBPF tooling is first-class instead of an add-on. If you run Oracle Database, Oracle RAC, Oracle E-Business Suite, or OKE on top of OL10, the sections below are the ones that actually change your day-to-day operations.

⚠️ Compatibility NoteThis guide targets Oracle Linux 10.0 GA with UEK7. Older ifcfg-* network scripts and direct iptables invocations are not supported on this release — validate any existing automation (Ansible, Terraform, kickstart %post) against nmcli and nft/firewalld before cutting over production hosts.

2.Lab Environment

💻 Shell — Confirm OS and Kernel Version

cat /etc/oracle-release
uname -r
nmcli --version

Terminal — oracrp@ebs-ol10-test:~

[oracrp@ebs-ol10-test ~]$ cat /etc/oracle-release
Oracle Linux Server release 10.0

[oracrp@ebs-ol10-test ~]$ uname -r
6.12.0-er1.1.el10uek.x86_64

[oracrp@ebs-ol10-test ~]$ nmcli --version
nmcli tool, version 1.50.0

All commands below were run as root (via sudo) unless noted otherwise.

---

4.NetworkManager — Mandatory Configuration

OL10 drops the legacy network service entirely. If you've been editing /etc/sysconfig/network-scripts/ifcfg-* files since OL6, that habit retires now — everything goes through nmcli (or the equivalent keyfiles under /etc/NetworkManager/system-connections/).

1Add a connection for the EBS application-tier NIC

🗄️ Shell — Create and Activate a Static Connection

nmcli connection add \
  type ethernet \
  ifname ens192 \
  con-name APPS-PROD \
  ipv4.addresses 10.10.20.15/24 \
  ipv4.gateway 10.10.20.1 \
  ipv4.method manual

nmcli connection up APPS-PROD

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# nmcli connection add type ethernet ifname ens192 con-name APPS-PROD ipv4.addresses 10.10.20.15/24 ipv4.gateway 10.10.20.1 ipv4.method manual
Connection 'APPS-PROD' (3c1b2e2a-9a4e-4e2e-9a2e-0a1f2c3d4e5f) successfully added.

[root@ebs-ol10-test ~]# nmcli connection up APPS-PROD
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)

[root@ebs-ol10-test ~]# nmcli -p connection show APPS-PROD | egrep 'ipv4.addresses|ipv4.gateway|GENERAL.STATE'
GENERAL.STATE:                         activated
ipv4.addresses:                        10.10.20.15/24
ipv4.gateway:                          10.10.20.1

Fig 1. nmcli connection creation and activation on the EBS application tier NIC

2Export the config for repeatable provisioning

💻 Shell — Export Connection Profile

nmcli connection export APPS-PROD /tmp/apps-prod.nmconnection

📋 Automation NoteExported .nmconnection keyfiles drop straight into Ansible, Terraform cloud-init user-data, or a kickstart %post section — no more sed-ing ifcfg files on clone/DR builds.

5.Policy-Based Routing

Multi-homed RAC and Exadata nodes — where the private interconnect and the client/public network sit on different subnets — benefit from policy routing so traffic can't leak across the wrong NIC.

🗄️ Shell — Isolate the RAC Private Interconnect

ip route add 192.168.10.0/24 dev eth1 table 100
ip rule add from 192.168.10.0/24 table 100

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# ip rule show
0:      from all lookup local
32764:  from 192.168.10.0/24 lookup 100
32766:  from all lookup main
32767:  from all lookup default

[root@ebs-ol10-test ~]# ip route show table 100
192.168.10.0/24 dev eth1 scope link

Fig 2. Policy route table keeping Cache Fusion traffic off the public interface

6.nftables Replaces iptables

iptables is not part of the default OL10 install. firewalld still sits on top as the management layer, but it now compiles down to nftables.

🗄️ Shell — Confirm firewalld/nftables and Open EBS Ports

systemctl status firewalld
nft list ruleset | head -20

firewall-cmd --permanent --add-port=8000-8005/tcp
firewall-cmd --permanent --add-port=1521/tcp
firewall-cmd --reload
firewall-cmd --list-ports

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
     Active: active (running) since Sat 2026-06-27 09:14:02 UTC

[root@ebs-ol10-test ~]# firewall-cmd --reload
success

[root@ebs-ol10-test ~]# firewall-cmd --list-ports
8000-8005/tcp 1521/tcp

✅ Firewall MigratedEBS web tier ports (8000–8005) and the database listener port (1521) are now open via firewalld, backed by nftables. Raw nft rules, if needed outside firewalld, live under /etc/nftables/.

7.eBPF and bpftool

eBPF programs let you observe live traffic without restarting any service or touching the kernel — a big upgrade over blind tcpdump captures on a busy production node.

🔍 Shell — Inspect Loaded Programs and Trace Retransmits

bpftool prog list
bpftrace -e 'kprobe:tcp_retransmit_skb { printf("retransmit on pid %d\n", pid); }'

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# bpftool prog list
12: cgroup_skb  name ingress_filter  tag a1b2c3d4e5f6a1b2  gpl
    loaded_at 2026-06-27T08:55:02+0000  uid 0
    xlated 248B  jited 189B  memlock 4096B

[root@ebs-ol10-test ~]# bpftrace -e 'kprobe:tcp_retransmit_skb { printf("retransmit on pid %d\n", pid); }'
Attaching 1 probe...
retransmit on pid 24817
retransmit on pid 24817

Fig 3. Live retransmit tracing — useful for chasing intermittent SQL*Net or RAC interconnect issues

8.XDP — Express Data Path

XDP processes packets before they reach the normal network stack — line-rate filtering most relevant to load-balancer or DDoS-mitigation tiers rather than typical EBS/RAC nodes, but worth knowing OL10 supports it natively.

💻 Shell — Attach an XDP Program

ip link set dev ens224 xdp obj /usr/share/bpf/xdp_drop.o

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# ip -d link show ens224 | grep xdp
    prog/xdp id 14 tag 4f3a2b1c0d9e8f7a

9.IPv6 Dual-Stack

💻 Shell — Enable IPv6 Auto-Configuration

nmcli connection modify APPS-PROD ipv6.method auto
nmcli connection up APPS-PROD

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# ip -6 addr show ens192
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP>
    inet6 fe80::216:3eff:fe4a:9c21/64 scope link
    inet6 2001:db8:20::15/64 scope global dynamic

📋 NoteMost EBS tiers still run IPv4-only in practice, but OCI subnets increasingly default to dual-stack — confirm SLAAC isn't silently handing out addresses you didn't plan for.

10.SR-IOV for OLVM/KVM

If RAC nodes are virtualized on OLVM, SR-IOV avoids most virtio overhead and gets you near-native NIC performance.

💻 Shell — Enable Virtual Functions

echo 4 > /sys/class/net/ens1f0/device/sriov_numvfs

Terminal — root@ol10-kvm-host:~

[root@ol10-kvm-host ~]# ip link show ens1f0
4: ens1f0: <BROADCAST,MULTICAST,UP,LOWER_UP>
    vf 0 MAC 52:54:00:1a:2b:3c, spoof checking on, link-state auto
    vf 1 MAC 52:54:00:1a:2b:3d, spoof checking on, link-state auto

⚠️ PrerequisiteConfirm IOMMU is enabled in BIOS/UEFI and intel_iommu=on (or the AMD equivalent) is set in the kernel boot args — VFs won't appear otherwise.

11.Bonding and High Availability

💻 Shell — Create an Active-Backup Bond

nmcli connection add type bond con-name bond0 ifname bond0 bond.options "mode=active-backup,miimon=100"
nmcli connection add type ethernet ifname eth2 master bond0
nmcli connection add type ethernet ifname eth3 master bond0
nmcli connection up bond0

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# cat /proc/net/bonding/bond0 | egrep 'Bonding Mode|Currently Active'
Bonding Mode: fault-tolerance (active-backup)
Currently Active Slave: eth2

Fig 4. Active-backup bond for the RAC private interconnect — validated with a live cable pull during failover testing

12.Container Networking (Podman/OKE)

💻 Shell — Create a Podman Network and Test Container

podman network create ebs-net --subnet 10.88.10.0/24
podman run -d --network ebs-net --name webtest nginx

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# podman network inspect ebs-net | grep subnet
            "subnet": "10.88.10.0/24"

[root@ebs-ol10-test ~]# podman exec webtest ip addr show eth0 | grep inet
    inet 10.88.10.2/24 brd 10.88.10.255 scope global eth0

📋 NoteIf EBS reporting or integration services are moving to OKE, the underlying CNI changes are transparent — run a quick iperf3 pod-to-pod test as part of patch validation to confirm no latency regression on worker node upgrades.

13.Traffic Control (tc)

💻 Shell — Shape Backup NIC Bandwidth

tc qdisc add dev eth4 root handle 1: htb default 12
tc class add dev eth4 parent 1: classid 1:1 htb rate 1000mbit
tc class add dev eth4 parent 1:1 classid 1:12 htb rate 200mbit ceil 300mbit

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# tc -s class show dev eth4
class htb 1:1 root rate 1Gbit ceil 1Gbit burst 1375b cburst 1375b
class htb 1:12 parent 1:1 prio 0 rate 200Mbit ceil 300Mbit burst 1600b cburst 1600b

Caps the dedicated backup NIC during RMAN/Data Pump windows so it can't choke SQL*Net traffic on a shared fabric.

14.TLS and Kernel Networking Tuning

OL10's newer kernel and OpenSSL stack reduce TLS handshake and encryption overhead, which matters for Oracle Database SSL, WebLogic, OHS, and REST endpoints.

🔍 Shell — Validate TLS Throughput and Session State

openssl speed -evp aes-256-gcm
ss -tin state established '( dport = :1521 )'

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# ss -tin state established '( dport = :1521 )'
State    Recv-Q  Send-Q   Local Address:Port    Peer Address:Port
ESTAB    0       0        10.10.20.15:51022     10.10.20.40:1521
         cubic wscale:7,7 rto:204 rtt:1.2/0.4 mss:1448 cwnd:10

ss -i exposes the active TCP congestion algorithm and RTT per connection — handy for confirming kernel-level improvements are actually in effect on a given SQL*Net session.

15.Diagnostics Toolbox

🔍 Shell — Day-to-Day Network Troubleshooting

ss -tnp state established '( dport = :1521 or sport = :1521 )'
ethtool -S ens192 | egrep 'rx_errors|tx_errors|rx_dropped'
mtr -rwc 4 ebs-db-prod.example.com

Terminal — root@ebs-ol10-test:~

[root@ebs-ol10-test ~]# ethtool -S ens192 | egrep 'rx_errors|tx_errors|rx_dropped'
     rx_errors: 0
     tx_errors: 0
     rx_dropped: 0

[root@ebs-ol10-test ~]# mtr -rwc 4 ebs-db-prod.example.com
HOST: ebs-ol10-test          Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. gw-app-tier               0.0%     4    0.3   0.3   0.2   0.4   0.1
  2. ebs-db-prod.example.com   0.0%     4    1.1   1.0   0.9   1.2   0.1

16.Troubleshooting Common Issues

Issue	Cause	Resolution
nmcli connection won't activate	Stale keyfile or missing autoconnect	nmcli connection modify <name> connection.autoconnect yes, then nmcli connection up <name>
firewall-cmd --reload doesn't apply new ports	Rule added to runtime only, not --permanent	Re-add with --permanent, then --reload
SR-IOV VFs don't appear	IOMMU disabled in BIOS or kernel args	Enable IOMMU in BIOS/UEFI; add intel_iommu=on (or AMD equivalent) to GRUB
bpftool/bpftrace not found	bpf-utils/bpftrace package not installed	dnf install bpftool bpftrace --skip-broken
Bond fails over slowly	miimon interval too high	Lower miimon (e.g. 100ms) in bond.options
Podman containers can't reach EBS DB tier	Wrong subnet/firewall zone	Verify podman network inspect; add the bridge interface to the correct firewalld zone

🔍 Shell — Diagnostic One-Liners

nmcli -p connection show <name>
nft list ruleset
ip -d link show <iface>
journalctl -u firewalld -u NetworkManager --since "1 hour ago"

17.Summary & Next Steps

✅ You have reviewed:NetworkManager-only configuration → policy routing → nftables firewall → eBPF/XDP observability → IPv6 dual-stack → SR-IOV → bonding/HA → container networking → traffic control → TLS/kernel tuning → diagnostics

Workload	Why it matters
Oracle RAC	Bonding + policy routing isolate and harden the private interconnect
Oracle Data Guard	Kernel/TLS tuning reduces redo transport latency
Oracle E-Business Suite	nftables rule cleanup + bonded NICs reduce attack surface and unplanned downtime
OKE / Podman	Improved CNI matters when shifting EBS reporting/integration services into containers
Exadata-connected hosts	SR-IOV and kernel networking improvements narrow the gap toward RDMA-class throughput

Recommended next steps:

• Re-validate existing Ansible/Terraform/kickstart automation against nmcli before any production cutover
• Migrate any remaining iptables rule sets to firewalld/nftables ahead of the OL8/OL9 EOL window
• Pilot bpftool/bpftrace as a standard troubleshooting step for SQL*Net and RAC interconnect retransmits
• Re-run baseline iperf3/mtr tests after any OL10 kernel (UEK7) update to catch regressions early

📚 References & Further ReadingOracle Linux 10 Release Notes · Oracle Linux Networking Guide (docs.oracle.com) · man nmcli · man nft · man bpftool

SZ

Syed Zaheer

Service Delivery Director · Techvisions · Cloud, AI & Managed Infrastructure

Syed Zaheer is Service Delivery Director at Techvisions, author, speaker, and technology enthusiast with deep expertise in Oracle landscape covering - databases, middleware, Applications, AI  and cloud infrastructure. He actively contributes to the Oracle community through technical articles, conference presentations, and knowledge-sharing initiatives, helping organizations modernize and optimize their enterprise technology platforms.