Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

How to parse Linux Network Namespace

2025-01-27 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

This article introduces you how to analyze Linux Network Namespace, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Linux Network Namespace (netns) detailed explanation

Network Namespace (hereinafter referred to as netns) is a network isolation function provided by the Linux kernel. It can isolate many different network spaces, and each has an independent network protocol stack, including network interface (network card), routing table, iptables rules and so on. For example, the famous docker is based on netns to achieve network isolation, today we will manually experiment with the isolation features of netns.

Mode of use

Use ip netns help to view usage help

Usage: ip netns list ip netns add NAME ip netns set NAME NETNSID ip [- all] netns delete [NAME] ip netns identify [PID] ip netns pids NAME ip [- all] netns exec [NAME] cmd... Ip netns monitor ip netns list-id starts the experiment

We are going to build the network in the following figure

First we add two tap devices and configure the IP information, then add two netns, and finally move the tap device to the netns

# add and start the virtual network card tap device ip tuntap add dev tap0 mode tap ip tuntap add dev tap1 mode tap ip link set tap0 upip link set tap1 up# configuration IPip addr add 10.0.0.1 hand 24 dev tap0ip addr add 10.0.0.2 pick 24 dev tap1# add netnsip netns add ns0ip netns add ns1# to move the virtual network card tap0,tap1 to ns0 and ns1 ip link set tap0 netns ns0ip link set tap1 netns ns1 respectively

Test network connectivity to tap0 using ping 10.0.0.1 on the host machine

PING 10.0.0.1 (10.0.0.1) 56 (84) bytes of data ^ C-- 10.0.0.1 ping statistics-2 packets transmitted, 0 received, 100% packet loss, time 58ms

Test network connectivity to tap1 using ping 10.0.0.2 on the host machine

Ping 10.0.0.2PING 10.0.0.2 (10.0.0.2) 56 (84) bytes of data ^ C-- 10.0.0.2 ping statistics-2 packets transmitted, 0 received, 100% packet loss, time 36ms

Since I haven't received a reply message from ICMP for a long time, I quit using Ctrl+C.

Test network connectivity to tap1 in the namespace ns0 using ip netns exec ns0 ping 10.0.0.2

Connect: network is unreachable

Test network connectivity to tap0 in the namespace ns1 using ip netns exec ns1 ping 10.0.0.1

Connect: network is unreachable

> there are two ways to execute a command in netns. One is to execute ip netns exec bash on the host machine to enter the netns, and then execute the command as if it were native. The other is to use the complete command on the host machine each time. For obvious distinction, we use the complete command here. For example, ip netns exec ns0 ping 10.0.0.2 means to execute the ping 10.0.0.2 command in the namespace ns0

You can see that accessing netns on the host machine is packet loss, while accessing each other in netns makes the network unreachable. Why? Let's check the netns.

Use ip netns exec ns0 ip a to view the network card in ns0

1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:0016: tap0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 42:ad:98:a2:cc:81 brd ff:ff:ff:ff:ff:ff

Use ip netns exec ns1 ip a to view the network card in ns1

1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:0017: tap1: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 12:06:1d:06:41:57 brd ff:ff:ff:ff:ff:ff

You can see that not only the status of the local loopback lo and tap devices is DOWN, but even the IP information of the tap device is gone, because the status of the virtual network interface is reset when the virtual network interface is moved in different network namespaces.

We reboot and configure the related devices in ns0 and ns1 with IP

Ip netns exec ns0 ip link set lo upip netns exec ns0 ip link set tap0 upip netns exec ns0 ip addr add 10.0.0.1/24 dev tap0ip netns exec ns1 ip link set lo upip netns exec ns1 ip link set tap1 upip netns exec ns1 ip addr add 10.0.0.2/24 dev tap1

First, let's test whether the local network in netns is normal.

Use ip netns exec ns0 ping 10.0.0.1 to test whether the local network card is started in the namespace ns0

PING 10.0.0.1 (10.0.0.1) 56 (84) bytes of data.64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.036 ms64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.033 ms64 bytes from 10.0.0.1: icmp_seq=3 ttl=64 time=0.084 ms64 bytes from 10.0.0.1: icmp_seq=4 ttl=64 time=0.044 Ms ^ C-- 10.0.0.1 ping statistics-4 packets transmitted, 4 received, 0% packet loss Time 65msrtt min/avg/max/mdev = 0.033 ms 0.049 Universe 0.084 ms

Use ip netns exec ns1 ping 10.0.0.2 to test whether the local network card is started in the namespace ns1

PING 10.0.0.2 (10.0.0.2) 56 (84) bytes of data.64 bytes from 10.0.0.2: icmp_seq=1 ttl=64 time=0.033 ms64 bytes from 10.0.0.2: icmp_seq=2 ttl=64 time=0.034 ms64 bytes from 10.0.0.2: icmp_seq=3 ttl=64 time=0.065 ms64 bytes from 10.0.0.2: icmp_seq=4 ttl=64 time=0.035 Ms ^ C-- 10.0.0.1 ping statistics-4 packets transmitted, 4 received, 0% packet loss Time 65msrtt min/avg/max/mdev = 0.033 ms 0.049 Universe 0.084 ms

You can see that there is nothing wrong with the local network, and then let's test the network connectivity between the two netns

Test network connectivity to tap1 in the namespace ns0 using ip netns exec ns0 ping 10.0.0.2

PING 10.0.0.2 (10.0.0.2) 56 (84) bytes of data ^ C-- 10.0.0.2 ping statistics-3 packets transmitted, 0 received, 100% packet loss, time 84ms

Test network connectivity to tap0 in the namespace ns1 using ip netns exec ns1 ping 10.0.0.1

PING 10.0.0.1 (10.0.0.1) 56 (84) bytes of data ^ C-- 10.0.0.1 ping statistics-2 packets transmitted, 0 received, 100% packet loss, time 30ms

You can see that there are no ICMP reply packets, and netns does isolate two virtual network cards on the same host. Here we simply use the ping command to test the connectivity of the network. In fact, we can do more. For example, modifying the routing table or firewall rules of a certain netns will not affect other netns at all, and certainly will not affect the host machine. Here, we will no longer carry out the experiment because of the space. Interested students can try it.

On how to parse Linux Network Namespace to share here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 251

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report