Linux Networking: Network Namespaces

Network namespaces enable the creation of multiple independent network stacks on a single Linux host, providing isolated environments for various applications, users, or services. This article illustrates how to connect network namespaces using virtual Ethernet pairs and a Linux bridge, as well as how to connect the host to these namespaces, thereby enabling network communication and isolation.

Linux Networking: Network Namespaces

Table of Contents

· Network Namespaces
· Connect Network Namespaces with a Virtual Ethernet Pair
· Connect Network Namespaces Using a Linux Bridge
· Connect Host to Network Namespaces
· Commands

Network Namespaces

Network namespace is a Linux kernel feature that creates an isolated environment for networking, with its own network interfaces, routing table, firewall rules, and NAT rules. This enables network administrators to create virtual networks with increased security and flexibility. It is used in containerization technologies like Docker and Kubernetes to create isolated network environments for containerized applications.

Connect Network Namespaces with a Virtual Ethernet Pair

original

1. Create network namespaces

$ ip netns add <namespace>

example:

step1: Create network namespaces

$ ip netns add ns1
$ ip netns add ns2

2. Create a virtual Ethernet pair

Create a link between the two namespaces.

$ ip link add <veth_interface_1> type veth peer name <veth_interface_2>

example:

step2: Create a virtual Ethernet pair

$ ip link add veth_ns1 type veth peer name veth_ns2

This command creates a virtual Ethernet pair consisting of two interfaces, veth_ns1 and veth_ns2. These interfaces are connected to each other and behave like a virtual cable.

3. Attach the veth pair to the corresponding network namespace

$ ip link set <veth_interface> netns <namespace>

example:

step3: Attach the veth pair to the corresponding network namespace

$ ip link set veth_ns1 netns ns1
$ ip link set veth_ns2 netns ns2

This command moves the veth_ns1 interface into the ns1 namespace and the veth_ns2 interface into the ns2 namespace.

4. Bring all interfaces up

$ ip netns exec <namespace> ip link set <veth_interface> up

example:

step5: Bring all interfaces up

$ ip netns exec ns1 ip link set veth_ns1 up
$ ip netns exec ns2 ip link set veth_ns2 up

This command enables the veth_ns1 interface in the ns1 namespace and the veth_ns2 interface in the ns2 namespace.

5. Configure IP for namespaces

Execute a command inside that namespace, use the ip netns exec <namespace> <command> syntax.

$ ip netns exec <namespace> ip addr add <IP_address>/<subnet_mask> dev <veth_interface>

example:

step5: Configure IP for namespaces

$ ip netns exec ns1 ip addr add 10.1.1.1/24 dev veth_ns1
$ ip netns exec ns2 ip addr add 10.1.1.2/24 dev veth_ns2

This command assigns the IP address 10.1.1.1 to the veth_ns1 interface in the ns1 namespace and the IP address 10.1.1.2 to the veth_ns2 interface in the ns2 namespace.

6. Verify the connectivity between namespaces

Ping the IP address of the other namespace.

$ ip netns exec <namespace_name> ping <IP_address>

example:

step6: Verify the connectivity between namespaces

$ ip netns exec ns1 ping 10.1.1.2
$ ip netns exec ns2 ping 10.1.1.1

Connect Network Namespaces Using a Linux Bridge

A bridge is a software device that connects multiple network interfaces together, allowing them to communicate with each other.

1. Create network namespaces

step1: Create network namespaces

$ ip netns add ns1
$ ip netns add ns2

2. Create a Linux bridge

$ ip link add <bridge_name> type bridge

example:

step2: Create a Linux bridge

$ ip link add br0 type bridge

3. Bring the bridge up

step3: Bring the bridge up

$ ip link set dev br0 up

4. Create veth pairs

step4: Create veth pairs

$ ip link add veth_ns1 type veth peer name veth_ns1_br0
$ ip link add veth_ns2 type veth peer name veth_ns2_br0

5. Attach veth pairs to the corresponding network namespace and the bridge

step5: Attach veth pairs to the corresponding network namespace and the bridge

$ ip link set veth_ns1 netns ns1
$ ip link set veth_ns1_br0 master br0

$ ip link set veth_ns2 netns ns2
$ ip link set veth_ns2_br0 master br0

6. Bring all interfaces up

step6: Bring all interfaces up

$ ip netns exec ns1 ip link set veth_ns1 up
$ ip link set veth_ns1_br0 up

$ ip netns exec ns2 ip link set veth_ns2 up
$ ip link set veth_ns2_br0 up

7. Configure IP for namespaces

step7: Configure IP for namespaces

$ ip netns exec ns1 ip addr add 10.1.1.1/24 dev veth_ns1
$ ip netns exec ns2 ip addr add 10.1.1.2/24 dev veth_ns2

8. Test connectivity between the namespaces

step8: Test connectivity between the namespaces

$ ip netns exec ns1 ping 10.1.1.2
$ ip netns exec ns2 ping 10.1.1.1

No need to add route, bridge add it automatically.

This process can be repeated for any number of namespaces, allowing you to create complex network topologies with isolated environments for each application.

Connect Host to Network Namespaces

1. Configure the bridge interface with an IP address

$ ip addr add 10.1.1.4/24 dev br0

2. Enable IP forwarding on the host

$ sysctl -w net.ipv4.ip_forward=1

3. Test connectivity between host and namespaces

$ ping 10.1.1.1
$ ping 10.1.1.2

Commands

1. List existing network namespaces on the system

$ ip netns

2. Delete a network namespace

$ ip netns delete <namespace>

3. Delete a network interface

$ ip link delete <network_interface>

Reference:

• Network Namespaces Basics Explained in 15 Minutes