Etherarp
Etherarp

Networking, Security, Linux

Share


Connecting Network Namespaces with veth

This post will look at how to define network namespaces and connect to and between them using veth pairs

Rohan MolloyRohan Molloy

In previous posts, I have looked at Network Namespaces and how they can be used to compartmentalize network resources on the system allowing applications to have their own NICs. This post will look at how network namespaces can be connected together.

A Quick Look at Network Namespaces

Network namespaces restrict a process from "seeing" the network interfaces, IP addresses, routes, and firewall entries from the rest of the system. Network namespaces are managed via the iproute2 utility

Create Network namespace

$ sudo ip netns add foo

Bring up the loopback interface inside the namespace

$ sudo ip netns exec foo ip link set dev lo up

Run a process inside the namespace

$ sudo ip netns exec foo nc -lkp 8080 <<< 'OK'
$ sudo ip netns exec foo curl http://127.0.0.1:8080
OK
$ curl http://127.0.0.1:8080
curl: (7) Failed to connect to 127.0.0.1 port 8080: Connection refused

Attach an interface to the network namespace

$ sudo ip link set dev enp3s1f0 netns foo
$ sudo ip netns exec foo ip l set dev enp3s1f0 up
$ sudo ip netns exec foo ip a add 192.168.1.3/24 dev enp3s1f0
$ sudo ip netns exec foo ip r add default via 192.168.1.1

Creating Veth Pairs

Veth is a type of virtual ethernet interface that is always created as a pair. Veth can be thought of as a 'virtual crossover cable', it creates two virtual NICs that are connected

$ sudo ip link add veth0_left type veth peer name veth0_right

Connect the system to a network namespace

In this example, we will use the newly created veth pair to connect the system to network namespace foo

Create a bridge interface on the system

$ sudo ip link add bridge0 type bridge
$ sudo ip link set bridge0 up
$ sudo ip addr add 10.13.37.1/24 dev bridge0

Attach the left veth interface to the bridge

$ sudo ip link set veth0_left up
$ sudo ip link set veth0_left master bridge0

Attach the right veth interface to the network namespace

$ sudo ip l set veth0_right netns foo
$ sudo ip netns exec foo ip link set veth0_right name eth0
$ sudo ip netns exec foo ip link set dev eth0 up
$ sudo ip netns exec foo ip addr add 10.13.37.2/24 dev eth0

Connecting two network namespaces

Connecting one network namespace to another follows the same process as connecting a network namespace with the host. Create a veth pair and attach each side to the appropriate namespace

Create a new namespace

$ sudo ip netns add bar

Create a veth pair and attach to the network namespaces

$ sudo ip l add veth1_left type veth peer name veth1_right
$ sudo ip l set veth1_left netns foo
$ sudo ip l set veth1_right netns bar

Configure addressing and routing

$ sudo ip netns exec foo ip l set veth1_left name eth1
$ sudo ip netns exec foo ip l set eth1 up
$ sudo ip netns exec foo ip a add 10.9.9.9/30 dev eth1

$ sudo ip netns exec bar ip l set veth1_right name eth0
$ sudo ip netns exec bar ip l set eth0 up
$ sudo ip netns exec bar ip a add 10.9.9.10/30 dev eth0
$ sudo ip netns exec bar ip r add 0.0.0.0/0 via 10.9.9.9

Create a route on the system

$ sudo ip route add 10.9.9.8/30 via 10.13.37.2 src 10.13.37.1 dev bridge0

Now, the system should be able to reach 10.9.9.10 (network namespace 'bar') routing via network namespace 'foo'. Connectivity can be verified with a ping or traceroute.

$ traceroute -n 10.9.9.10
traceroute to 10.9.9.10 (10.9.9.10), 30 hops max, 60 byte packets
 1  10.13.37.2  0.053 ms  0.013 ms  0.011 ms
 2  10.9.9.10  0.019 ms  0.014 ms  0.012 ms
Author

Rohan Molloy

View Comments