Introduction

In the professional networking world it is quite common to use Virtual Routing and Forwarding VRFs for a long time. Cisco, Alcatel-Lucent, Juniper and others are supporting this technology. In the L2 switching world, the concept of VLANs has been used since the 90’s of the last century. One physical switch supports more than one broadcast domain. Most switches are supporting up to 4k Vlans.

This idea has been adopted to the L3 world. Many network devices are supporting now VRFs. This means, that more than one virtual router (Layer 3 forwarding instance) can be run on one physical device.

In the Linux world, the VRFs of the professional networking world got the name „network namespace“. In Linux, there are other namespaces available (like mount namespace…). The acticle at http://lwn.net/Articles/531114/ has more details.

Each network namespace has it’s own routing table, it’s own iptables setup providing nat and filtering. Linux network namespaces offer in addition the capability to run processes within the network namespace.

But why should someone use this feature. Think about a firewall running on a Linux system. You should assign all service interfaces of the firewall to a network namespace. After this, the default network namespace and the firewall network namespace are running with different routing tables. An applications like SSH is only reachable in the default namespace but not in the firewall namespace. And you may use the same IP addresses in each namespace without any interferance – but be careful on the L2 layer!

The following sections show the basic usage. A more complex example using also linux bridges or the openvswitch is available in this article on this site.

Basic network namespace commands

The tool to handle network namespaces is the command ip. Some users may know this tool as the replacement for the deprecated tools ifconfig, route, netstat…. You must be root for all operations which change the configuration of the network stack.

Mapping of the commands between the ip and the depricated tools:

ifconfig                                            --> ip addr or just ip a
ifconfig <interface> up/down                        --> ip link set dev <interface> up/down
ifconfig <interface> <ip> netmask <netmask>         --> ip addr add <ip>/<masklen> dev <interface>
netstat -rn                                         --> ip route or just ip r
route add -net <net> netmask <netmask> gw <gateway> --> ip r add <net>/<netmasklen> via <gateway>

ifconfig --> ip addr or just ip a

ifconfig <interface> up/down --> ip link set dev <interface> up/down

ifconfig <interface> <ip> netmask <netmask> --> ip addr add <ip>/<masklen> dev <interface>

netstat -rn --> ip route or just ip r

route add -net <net> netmask <netmask> gw <gateway> --> ip r add <net>/<netmasklen> via <gateway>

Check your Linux for namespace support

Before trying to play with network namespaces check it your Linux system supports network namespaces. Ubuntu 12.04 and higher versions have the feature on board.

Creating a network namespace

# add a new namespace
ip netnas add <network namespace name>
#Example:
ip netns add nstest

# add a new namespace

ip netnas add <network namespace name>

#Example:

ip netns add nstest

Listing all existing network namespaces in the system

# list all namespaces
ip netns list
#will show the namespace from above

nstest

# list all namespaces

ip netns list

#will show the namespace from above

nstest

Deleting a network namespace

A network namespace can be deleted using the command

ip netns delete <network namespace name>

1	ip netns delete <network namespace name>

Executing a command in a network namespace

The command ip offers the „black magic“ to execute commands in the network namespace. The following is used:

# execute a command in a namespace
ip netns exec <network namespace name> <command>
#Example using the namespace from above:
ip netns exec nstest ip addr

# execute a command in a namespace

ip netns exec <network namespace name> <command>

#Example using the namespace from above:

ip netns exec nstest ip addr

shows all ip interfaces and addresses in the namespace

1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

1 2	1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN mode DEFAULT link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

A „dirty“ trick is to not start each command with the prefix ip netns exec…. Start a shell in the network namespace using

ip netns exec <network namespace name> bash

1	ip netns exec <network namespace name> bash

But do not forget, that you are now „trapped“ in the network namespace. Just type exit to leave.

Exploring the network namespace

After creating the namespace with the command above, the first task is to bring up the loopback interface of the new namespace. You may have noticed from the output above, that the loopback interface is DOWN after creating the network namespace. If you forget this, strange things may happen. It’s not a good idea to leave the loopback interface down.

# set the link of lo in the namespace to up
ip netns exec nstest ip link set dev lo up
# list all interfaces and the state in the namespace 
ip netns exec nstest ip link

# set the link of lo in the namespace to up

ip netns exec nstest ip link set dev lo up

# list all interfaces and the state in the namespace

ip netns exec nstest ip link

and the loopback interface is now UP. Now it’s time to connect the network namespace to the outside world.

Adding interfaces to a network namespace

It is not possible to assign physical interfaces of your Linux box to a network namespace. It’s only possible to attach virtual interfaces. So we have to create a virtual interface. The tool is – again – ip. The command

ip link add veth-a type veth peer name veth-b

1	ip link add veth-a type veth peer name veth-b

creates two virtual interfaces veth-a and veth-b, which are connected using „a virtual cable“. The command ip link shows both interfaces in the default namespace.

ip link
veth-b: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
 link/ether 72:01:ad:c5:67:84 brd ff:ff:ff:ff:ff:ff
veth-a: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
 link/ether 8e:8b:bd:b1:88:e5 brd ff:ff:ff:ff:ff:ff

ip link

veth-b: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000

link/ether 72:01:ad:c5:67:84 brd ff:ff:ff:ff:ff:ff

veth-a: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000

link/ether 8e:8b:bd:b1:88:e5 brd ff:ff:ff:ff:ff:ff

We can now take one end of this construct and attach it to the created namespace nstest using the command

ip link set veth-b netns nstest

1	ip link set veth-b netns nstest

Now ip l in the default namespace does not show this interface any more. It shows up now in the network namespace nstest, Verify this using the command

# list all interfaces in the namespace nstest
ip netns exec nstest ip link

lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT 
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
veth-b: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
 link/ether 72:01:ad:c5:67:84 brd ff:ff:ff:ff:ff:ff

# list all interfaces in the namespace nstest

ip netns exec nstest ip link

lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT

link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

veth-b: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000

link/ether 72:01:ad:c5:67:84 brd ff:ff:ff:ff:ff:ff

Now we have two interfaces in the network namespace nstest.

Assign ip addresses to the veth interfaces

Now it’s time to assign ip addresses to the veth interfaces and bring the interfaces up

# default namespace
ip addr add 10.0.0.1/24 dev veth-a
ip link set dev veth-a up
#
# namespace nstest
ip netns exec nstest ip addr add 10.0.0.2/24 dev veth-b
ip netns exec nstest ip link set dev veth-b up

# default namespace

ip addr add 10.0.0.1/24 dev veth-a

ip link set dev veth-a up

# namespace nstest

ip netns exec nstest ip addr add 10.0.0.2/24 dev veth-b

ip netns exec nstest ip link set dev veth-b up

Verify, that the interfaces are up (use ip link), have ip addresses assigned (use ip addr) and a route is existing (use ip route).

Now you can ping from the default namespace interface veth-a to the nstest namespace interface veth-b:

ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_req=1 ttl=64 time=0.054 ms
64 bytes from 10.0.0.2: icmp_req=2 ttl=64 time=0.034 ms
64 bytes from 10.0.0.2: icmp_req=3 ttl=64 time=0.039 ms
64 bytes from 10.0.0.2: icmp_req=4 ttl=64 time=0.036 ms

ping 10.0.0.2

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.

64 bytes from 10.0.0.2: icmp_req=1 ttl=64 time=0.054 ms

64 bytes from 10.0.0.2: icmp_req=2 ttl=64 time=0.034 ms

64 bytes from 10.0.0.2: icmp_req=3 ttl=64 time=0.039 ms

64 bytes from 10.0.0.2: icmp_req=4 ttl=64 time=0.036 ms

And from the nstest namespace interface veth-b to the default namespace interface veth-a:

ip netns exec nstest ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_req=1 ttl=64 time=0.064 ms
64 bytes from 10.0.0.1: icmp_req=2 ttl=64 time=0.036 ms
64 bytes from 10.0.0.1: icmp_req=3 ttl=64 time=0.039 ms

ip netns exec nstest ping 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.

64 bytes from 10.0.0.1: icmp_req=1 ttl=64 time=0.064 ms

64 bytes from 10.0.0.1: icmp_req=2 ttl=64 time=0.036 ms

64 bytes from 10.0.0.1: icmp_req=3 ttl=64 time=0.039 ms

Try to reach another interface in the default namespace when pinging from the network namespace.

Which software is using network namespaces?

Network namespaces are used by many container and virtualization techniques. LXC is one of the virtualization container techniques. Openstack neutron is also using the Linux network namespaces.

Virtual inferfaces and network namespaces are very useful, when a virtual switch, e.g. Openvswitch, is installed.

(1) Linux Network Namespaces