Bridging 2 VEth Devices within Namespaces
Stanley Chinedu Ogada
Posted on February 8, 2024
Table of Contents:
- Introduction
- Understanding Network Bridging
- Understanding Network Namespaces
- Connecting Network Namespaces with a Bridge
- PRACTICAL GUIDE
- Real-world scenarios for creating multiple namespaces
- Conclusion
Introduction:
In the world of Linux networking, understanding concepts like network bridging and network namespaces can open up a realm of possibilities for network configuration, isolation, and testing. In this blog post, we'll delve into these concepts, exploring their use cases and providing a step-by-step guide to implementing them on your Linux system.
Understanding Network Bridging:
Network bridging is a technique used to connect multiple network interfaces, allowing them to communicate with each other as if they were part of the same network segment. This is achieved by creating a virtual bridge interface that acts as a hub for the connected interfaces.
Understanding Network Namespaces:
Network namespaces provide a way to create isolated network environments within a Linux system. Each namespace has its network stack, including interfaces, routing tables, and firewall rules, allowing for separate network configurations.
Connecting Network Namespaces with a Bridge:
While network namespaces provide isolation, there may be scenarios where communication between namespaces is desired. This can be achieved by connecting the namespaces using a bridge, allowing for controlled communication between them.
Practical Guide:
Create a bridge:
ip link add br0 type bridge
Create the veth network interfaces and their peers:
ip link add vth1 type veth peer vth_1
ip link add vth2 type veth peer vth_2
These commands create two pairs of virtual Ethernet (veth) interfaces (vth1
and vth2
) along with their peers (vth_1
and vth_2
). Each veth pair acts as a virtual cable, where data sent through one end of the pair emerges at the other end.
Create 2 network namespaces:
ip netns add ns1
ip netns add ns2
Move the veth peers to each namespace:
ip link set dev vth_1 netns ns1
ip link set dev vth_2 netns ns2
These commands move the veth peer interfaces (vth_1
and vth_2
) into their respective network namespaces (ns1
and ns2
), effectively associating them with the namespaces.
Assign an IP address to the veth network interface in each network namespace:
ip netns exec ns1 ip address add 192.168.10.1/24 dev vth_1
ip netns exec ns1 ip link set dev vth_1 up
ip netns exec ns2 ip address add 192.168.10.2/24 dev vth_2
ip netns exec ns2 ip link set dev vth_2 up
These commands assign IP addresses to the veth interfaces (vth_1
and vth_2
) inside their respective namespaces (ns1
and ns2
). Additionally, they bring up the interfaces (vth_1
and vth_2
) within their namespaces.
Add the veth network interfaces to the bridge:
ip link set dev vth1 master br0
ip link set dev vth2 master br0
These commands add the veth interfaces (vth1
and vth2
) to the bridge (br0
). By adding the interfaces to the bridge, traffic can flow between the namespaces through the bridge.
Bring up the bridge and the veth network interfaces:
ip link set dev br0 up
ip link set dev vth1 up
ip link set dev vth2 up
These commands bring up the bridge (br0
) and the veth interfaces (vth1
and vth2
), enabling network connectivity.
Test connectivity between namespaces using ping:
ping 192.168.10.1;
ping 192.168.10.2;
These commands attempt to ping the IP address 192.168.10.1
and 192.168.10.2
. Since the bridge is not directly connected to the physical network, the ping fails.
ip netns exec ns1 ping 192.168.10.2 -c2
This command uses the ip netns exec
command to execute the ping from within the ns1
namespace. As a result, the ping is successful with 0% packet loss.
ip netns exec ns2 ping 192.168.10.1 -c2
Similarly, this command executes the ping from within the ns2
namespace, resulting in a successful ping with 0% packet loss.
However, ns1
can only ping ns2
(with its IP address of course) but can't ping itself (ns1
can't ping ns1
), and the same situation for the ns2
namespace as well. Well, the reason is the lo
devices in a newly created namespace are down by default.
In other words (Optionally), If you wish for the ns1
and ns1
to ping itself, then bring up the lo
devices
ip netns exec ns1 ip link set dev lo up
ip netns exec ns2 ip link set dev lo up
The ns1
can now ping both ns2
(192.168.10.2) and itself (192.168.10.1) and the same is true for the ns2
namespace.
ip netns exec ns1 ping 192.168.10.1 -c2
ip netns exec ns1 ping 192.168.10.2 -c2
Real-world scenarios for creating multiple namespaces:
Service or application isolation:
In a cloud environment, different services or applications may require isolated network environments for testing or development. By creating multiple namespaces on a single machine and connecting them using a bridge, developers can simulate isolated network environments for each service or application without the need for additional physical hardware.Security testing:
Security researchers or penetration testers often require isolated environments to conduct security testing or analysis. By creating multiple namespaces on a single machine and connecting them using a bridge, they can simulate complex network topologies and test various security scenarios without impacting production systems. This setup allows for controlled experimentation and analysis of network-based vulnerabilities and attack vectors.
NOTE:
It's essential to note that the use of a bridge in this scenario doesn't completely negate the isolation provided by the namespaces. The namespaces still maintain separate network configurations, IP addresses, and routing tables, ensuring that network traffic remains isolated within each namespace by default.
The point of connecting the namespaces with a bridge is to enable controlled communication between them when necessary, such as for testing network communication between different services or applications running in separate namespaces. It allows for flexibility in network configuration while still providing isolation where needed.
Conclusion:
Network bridging and network namespaces are powerful tools in the Linux networking toolbox, offering flexibility, isolation, and control over network configurations. By understanding these concepts and how to implement them, you can tailor your Linux network environment to suit your specific needs, whether it's for testing, development, or production use. With the step-by-step guide provided in this blog post, you can start exploring the possibilities of Linux networking bridging and namespaces in your projects.
Also, connect with me on LinkedIn
Happy hacking!
Posted on February 8, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.