Connect Namespace With Outnet

最新推荐文章于 2024-08-19 15:22:31 发布

ChampionLai

最新推荐文章于 2024-08-19 15:22:31 发布

阅读量855

点赞数

分类专栏： linux container 文章标签： network namespce out

本文链接：https://blog.csdn.net/coolboylai2/article/details/22271373

版权

linux container 专栏收录该内容

4 篇文章 0 订阅

订阅专栏

in this post, i will intoduce linux namspace again.

as we konwn,every namespace ioslates themselves from each other.so they can't access each other.so how to connect them?

Linux provides a virtual Ethernet techinque to provide a pipe between two namespace.

first,execute command: ip netns add lains

then create a pair interfaces. ip link add veth0 type veth peer name veth1 ,a interface name by veth0 and another interface name by veth1

third,move the veth1 interface into the new namespace lains,command like this :ip link set veth1 netns lains

fourth,config two new interface,like this ifconfig veth0 10.0.0.1 up and ip netns exec ifconfig 10.0.0.2 up (optinal:ip netns exec ifconfig lo up)

this two interfaces already work nornal now.

now we login this namespace. ip netns exec nslai bash

in this namespace we run command ifconfig,then we find two interfaces,

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:66 errors:0 dropped:0 overruns:0 frame:0
          TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:5564 (5.5 KB)  TX bytes:5564 (5.5 KB)

veth1     Link encap:Ethernet  HWaddr 8e:b3:7c:ee:6d:b6  
          inet addr:10.0.0.2  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::8cb3:7cff:feee:6db6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:422 errors:0 dropped:0 overruns:0 frame:0
          TX packets:72 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:29671 (29.6 KB)  TX bytes:5264 (5.2 KB

let us have a try, do we access outnet?absoutely not.

ping 10.10.18.38(my default namespace,eht0 interface's ip)

resposnes are host unreachablely.but we could ping 10.10.0.1 and 10.0.0.2

let us find the reason.we run route command

root@laicb-OptiPlex-3010:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 veth1

you could see the Destination is a network route,(host route,network route,default route),but 10.10.18.38 does not belong this network,so kernel don't konw how to send it.so Host Unreachablel。

to solve this problem,just add a default route or a network route to this kernel tables.route add default gw 10.0.0.1(we secify this ip as gw)

thwn we run route command

root@laicb-OptiPlex-3010:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 veth1
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 veth1

at this time,kernel know how to send this package.send it to Gateway 10.0.0.1

at this time,we could not ping 10.10.18.38

because the default namespace can not konw how to send it.we view the route table of default network namspace,

laicb@laicb-OptiPlex-3010:~$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.10.18.254    0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 veth0
10.10.18.0      0.0.0.0         255.255.255.0   U     1      0        0 eth0

so the 10.0.0.1's package wille be sended to veth0

so it can't reach 10.10.18.38

two approach could solve this problem

first, add a bridge to connect two isolated namspaces

second,add snat transform

execute command like this

iptables -t nat -A POSTROUTING -s 10.0.0.0/22 -j SNAT --to-source 10.10.18.38

transform 10.0.0.0/22 source ip to 10.10.18.38

laicb@laicb-OptiPlex-3010:~$ sudo iptables -L -t nat
[sudo] password for laicb: 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination                   

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination                   

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination                  
SNAT       all  --  10.0.0.0/22          anywhere             to:10.10.18.38

now we login lains namespace,then we can ping 10.10.18.38

and we can visite outnet,visite baidu and so on.

so it's all

Problem To Solve:

a package's travel path,interface,route table,iptables, it will be a rabbit hole.

Sina Weibo: ChampionLai

link:http://www.evolware.org/?p=293#comment-2183

use bridge connect two namespaces,a good use case

http://wiki.dzsc.com/info/8659.html

introduce the principle of network bridge