This post will look at how network namespaces can be connected together.
Basic use of Network Namespaces
Network namespaces restrict a process from "seeing" the network interfaces, IP addresses, routes, and firewall entries from the rest of the system. Network namespaces are managed via the iproute2 utility
Create Network namespace
ip netns add foo
ip netns add bar
Attach an interface to the network namespace
ip link set dev enp3s1f0 netns foo
Configure newly attached interface
ip netns exec foo ip l set dev enp3s1f0 up;
ip netns exec foo ip a add 192.168.1.3/24 dev enp3s1f0;
ip netns exec foo ip r add default via 192.168.1.1;
Run a process inside the namespace
ip netns exec foo nc -lkp 8080 <<< OK
Connecting between system and namespaces
In this example, we will use the newly created veth pair to connect the system to network namespace foo. Veth is a type of virtual ethernet interface that is always created as a pair. Veth can be thought of as a 'virtual crossover cable', it creates two virtual NICs that are connected
Defining a veth pair
ip link add veth1_left type veth peer veth1_right;
Create a bridge interface on the system
ip link add bridge0 type bridge;
ip link set bridge0 up;
ip addr add 10.13.37.1/24 dev bridge0;
Attach the left veth interface to the bridge
ip link set veth0_left master bridge0 up ;
Attach the right veth interface to the network namespace
# ip link set dev veth0_right netns foo;
Bring up the right interface inside the namespace
ip netns exec foo ip link set veth0_right name eth0;
ip netns exec foo ip link set dev eth0 up;
ip netns exec foo ip addr add 10.13.37.2/24 dev eth0;
Connecting between namespaces
Connecting one network namespace to another follows the same process as connecting a network namespace with the host. Create a veth pair and attach each side to the appropriate namespace
Create a veth pair
ip link add veth1_left type veth peer veth1_right
Attach the left veth to the foo namespace
ip link set veth1_left netns foo
Configure ip for the foo namespace
ip netns exec foo ip l set veth1_left name eth1;
ip netns exec foo ip l set eth1 up;
ip netns exec foo ip a add 10.9.9.10/30 dev eth1;
ip netns exec foo ip r add 0.0.0.0/0 via 10.9.9.9
Attach the right veth to the bar namespace
ip link set veth1_right netns bar
Configure IP for the bar namespace
ip netns exec bar ip l set veth1_right name eth0;
ip netns exec bar ip l set eth0 up;
ip netns exec bar ip a add 10.9.9.10/30 dev eth0;
ip netns exec bar ip r add 0.0.0.0/0 via 10.9.9.9'
Routing accross namespaces
Recall that we created a namespace (foo) that has both a veth link from the default namespace (host) and a veth link to a second namespace (bar). As a proof concept, let's configure connectivity between the system and the remote namespace
Create a static route on the system
ip route add 10.9.9.8/30 via 10.13.37.2
Verify connectivity
traceroute -n 10.9.9.10
traceroute to 10.9.9.10 (10.9.9.10), 30 hops max, 60 byte packets
1 10.13.37.2 0.053 ms 0.013 ms 0.011 ms
2 10.9.9.10 0.019 ms 0.014 ms 0.012 ms
Now, the system should be able to reach 10.9.9.10 (network namespace 'bar') routing via network namespace 'foo'. Connectivity can be verified with a ping or traceroute.