Linux Network Namespaces

Linux Network Namespaces

1. What are Linux Network Namespaces?

A Network Namespace is a virtualization technology provided by Linux that allows the creation of multiple independent network environments, each with its own network interfaces, routing tables, iptables rules, etc. This is similar to network isolation in virtual machines or containers, but is more lightweight.

Features

  • Each network namespace has its own network interfaces (e.g., eth0, wlan0).
  • Each namespace has independent routing tables, iptables rules, and ARP caches.
  • Processes can only access the network resources of the namespace they are in and cannot directly access the network resources of other namespaces.
  • Different namespaces can be connected through veth devices, allowing them to communicate with each other.

2. Basic Operations

2.1 Creating and Managing Network Namespaces

Creating Network Namespaces

ip netns add ns1
ip netns add ns2

This creates two independent network namespaces: <span>ns1</span> and <span>ns2</span>.

Viewing Network Namespaces

ip netns list

Example output:

ns2
ns1

This indicates that <span>ns2</span> and <span>ns1</span> are running.

Deleting Network Namespaces

ip netns del ns1
ip netns del ns2

After deletion, the associated network interfaces and configurations will be cleared.

2.2 Executing Commands in a Namespace

Use <span>ip netns exec</span> to enter a network namespace and execute commands. For example:

ip netns exec ns1 ip a

This will show the network interfaces inside <span>ns1</span>, typically only the <span>lo</span> (loopback) interface.

To enter <span>ns1</span> and start an interactive shell:

ip netns exec ns1 bash

Inside <span>ns1</span>, <span>ip a</span> will only list the <span>lo</span> device, as by default, the network namespace is empty.

3. Connecting Namespaces

3.1 Connecting Namespaces via veth Devices

A veth (Virtual Ethernet) device is a pair of virtual Ethernet devices where packets enter one end and automatically exit the other end.

Creating veth Devices

ip link add veth0 type veth peer name veth1

This creates two connected ends: <span>veth0</span> and <span>veth1</span>.

Assigning veth Devices to Network Namespaces

ip link set veth0 netns ns1
ip link set veth1 netns ns2

Thus:

  • <span>veth0</span> enters <span>ns1</span>.
  • <span>veth1</span> enters <span>ns2</span>.

Configuring IP in the Namespace

ip netns exec ns1 ip addr add 192.168.1.1/24 dev veth0
ip netns exec ns2 ip addr add 192.168.1.2/24 dev veth1

Then, enable the interfaces:

ip netns exec ns1 ip link set veth0 up
ip netns exec ns2 ip link set veth1 up

Testing Connectivity

ip netns exec ns1 ping -c 3 192.168.1.2

If successful, it indicates that the connection between <span>ns1</span> and <span>ns2</span> has been established.

4. Routing with Namespaces

If <span>ns1</span> and <span>ns2</span> need to route through a third namespace (<span>ns-router</span>), the following steps can be configured.

4.1 Creating ns-router

ip netns add ns-router

4.2 Creating and Assigning veth Devices

ip link add veth-ns1 type veth peer name veth-router1
ip link add veth-ns2 type veth peer name veth-router2
ip link set veth-ns1 netns ns1
ip link set veth-router1 netns ns-router
ip link set veth-ns2 netns ns2
ip link set veth-router2 netns ns-router

4.3 Configuring IP Addresses

ip netns exec ns1 ip addr add 192.168.1.1/24 dev veth-ns1
ip netns exec ns-router ip addr add 192.168.1.254/24 dev veth-router1
ip netns exec ns-router ip addr add 192.168.2.254/24 dev veth-router2
ip netns exec ns2 ip addr add 192.168.2.1/24 dev veth-ns2

4.4 Enabling Interfaces

ip netns exec ns1 ip link set veth-ns1 up
ip netns exec ns-router ip link set veth-router1 up
ip netns exec ns-router ip link set veth-router2 up
ip netns exec ns2 ip link set veth-ns2 up

4.5 Enabling IP Forwarding

ip netns exec ns-router sysctl -w net.ipv4.ip_forward=1

4.6 Configuring Routes

ip netns exec ns1 ip route add default via 192.168.1.254
ip netns exec ns2 ip route add default via 192.168.2.254

Now, <span>ns1</span> and <span>ns2</span> can communicate through <span>ns-router</span>:

ip netns exec ns1 ping -c 3 192.168.2.1

5. Advanced Usage

5.1 Using iptables for NAT

ip netns exec ns-router iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

This allows <span>ns1</span> and <span>ns2</span> to access the external network through <span>ns-router</span>.

5.2 Binding Processes to Specific Network Namespaces

nsenter --net=/var/run/netns/ns1 ping -c 3 192.168.1.2

This allows processes to operate in different network namespaces.

5.3 Using VRF for Advanced Network Isolation

ip link add vrf1 type vrf table 100
ip link set vrf1 up
ip link set veth0 master vrf1

This binds <span>veth0</span> to the <span>VRF vrf1</span>, allowing for more complex network isolation.

6. Conclusion

Linux network namespaces provide a powerful way to isolate and manage networks, suitable for scenarios such as containers, SDN, testing environments, VPNs, and cloud computing.

They can be used to:

  • Simulate complex network architectures using multiple network namespaces.
  • Combine <span>iptables</span> and <span>tc</span> for traffic control.
  • Customize network configurations in container environments.

Related posts

  1. Understanding C++ Pointers: Operations and Best Practices
  2. Exploring C++ Variables and Constants: Declaration, Initialization, and Scope
  3. Common Functions in C/C++: A Comprehensive Guide
  4. Seven Exciting Features of VxWorks 7
  5. Communication Methods Between WinCC and PLC: How Many Do You Know?
  6. Comprehensive Guide to IoT Communication Protocols
  7. TP-Link Wireless Router Setup Guide
  8. Is High-Performance Computing (HPC) the Same as Server Virtualization?

Leave a Comment