Linux Network Namespaces – Background

http://www.opencloudblog.com/?p=116

How to Create a Network Namespace and add iptables rules and Test it

http://fosshelp.blogspot.com/2014/07/create-network-namespace-iptables-rules.html

 

iptables example DNAT SNAT and MASQUERADE with network namespace

http://fosshelp.blogspot.com/2014/07/iptables-dnat-snat-masquerade-with.html

Namespaces

Managing network namespaces using the ip command is the prefered way. It is helpful to understand, what’s going on in the (kernel) background.

If you create two network namespaces using

Shell

ip netns add ns1 ip netns add ns2

1 2	ip netns add ns1 ip netns add ns2

you find to entries in the directory /var/run/netns/

Shell

ls -la /var/run/netns/ total 0 drwxr-xr-x 2 root root 80 Sep 19 22:18 . drwxr-xr-x 39 root root 1500 Sep 19 22:18 .. -r--r--r-- 1 root root 0 Sep 19 22:18 ns1 -r--r--r-- 1 root root 0 Sep 19 22:18 ns2

1 2 3 4 5 6

ls -la /var/run/netns/ total 0 drwxr-xr-x  2 root root   80 Sep 19 22:18 . drwxr-xr-x 39 root root 1500 Sep 19 22:18 .. -r--r--r--  1 root root    0 Sep 19 22:18 ns1 -r--r--r--  1 root root    0 Sep 19 22:18 ns2

Each process has an unique inode assigned. This inode makes it possible to check, if two processes belongs to a name namespace. Look in /proc/self/ns/  to the entry net:

Shell

root:~# ls -la /proc/self/ns/ ... lrwxrwxrwx 1 root root 0 Sep 19 22:36 net -> net:[4026531956] ... root:~# ip netns exec ns1 ls -la /proc/self/ns/ ... lrwxrwxrwx 1 root root 0 Sep 19 22:37 net -> net:[4026532399] ... root:~# ip netns exec ns2 ls -la /proc/self/ns/ ... lrwxrwxrwx 1 root root 0 Sep 19 22:41 net -> net:[4026532485] ...

1 2 3 4 5 6 7 8 9 10 11 12 13 14

root:~# ls -la /proc/self/ns/ ... lrwxrwxrwx 1 root root 0 Sep 19 22:36 net -> net:[4026531956] ...   root:~# ip netns exec ns1 ls -la /proc/self/ns/ ... lrwxrwxrwx 1 root root 0 Sep 19 22:37 net -> net:[4026532399] ...   root:~# ip netns exec ns2 ls -la /proc/self/ns/ ... lrwxrwxrwx 1 root root 0 Sep 19 22:41 net -> net:[4026532485] ...

The shell process, which we are using and the namespaces ns1 and ns2 have different net:[] inodes assigned. These inodes are the inodes of the entries in /var/run/netns/ . If this is the default network namespace you will not see an entry.

Network namespaces might also be assigned to PIDs.

Newer versions if ip have the commands ip netns identify PID (This command walks through /var/run/netns and finds all the network namespace names for network namespace of the specified process) and ip netns pids NAME (This command walks through proc and finds all of the process who have the named network namespace as their primary network namespace).

A cat /proc/self/mounts shows the total number of network namespaces in the system:

Shell

cat /proc/self/mounts ... many lines cut ... proc net:[4026532399] proc rw,nosuid,nodev,noexec,relatime 0 0 proc net:[4026532485] proc rw,nosuid,nodev,noexec,relatime 0 0 The two lines above show that there are two network namespaces active in the system

1 2 3 4 5 6 7 8

cat /proc/self/mounts ... many lines cut ... proc net:[4026532399] proc rw,nosuid,nodev,noexec,relatime 0 0 proc net:[4026532485] proc rw,nosuid,nodev,noexec,relatime 0 0   The two lines above show that there are two network namespaces active in the system

If you exectute the same command in a network namespace using ip netns exec ns1 cat /proc/self/mounts you get:

Shell

ip netns exec ns1 cat /proc/self/mounts ... many lines cut ... proc net:[4026532399] proc rw,nosuid,nodev,noexec,relatime 0 0 proc net:[4026532485] proc rw,nosuid,nodev,noexec,relatime 0 0 ... ns1 /sys sysfs rw,relatime 0 0 the last line shows the network namespace of the current process

1 2 3 4 5 6 7 8 9 10

ip netns exec ns1 cat /proc/self/mounts ... many lines cut ... proc net:[4026532399] proc rw,nosuid,nodev,noexec,relatime 0 0 proc net:[4026532485] proc rw,nosuid,nodev,noexec,relatime 0 0 ... ns1 /sys sysfs rw,relatime 0 0   the last line shows the network namespace of the current process

 Interfaces

If you create a veth pair and assign one side to ns1 and the other sinde to ns2 using the commands

Shell

ip link add veth-a type veth peer name veth-b ip link set veth-a netns ns1 ip link set veth-b netns ns2

1 2 3

ip link add veth-a type veth peer name veth-b ip link set veth-a netns ns1 ip link set veth-b netns ns2

Interfaces may also be assigned to a process:

Shell

# create a veth pair # assign the other side to PID 1234 # ip link add veth-e type veth peer name veth-f netns 1234

1 2 3 4

# create a veth pair # assign the other side to PID 1234 # ip link add veth-e type veth peer name veth-f netns 1234

This attaches the interface veth-f not only to PID 1234, it attaches the interface to the network namespace to which the process 1234 is belonging to. The network namespace survives, even if the process terminates.

How do you find the namespaces to which the interface are belonging to?

How do you find all interfaces in your system and the mapping to network namespaces/pids?