Linux — namespaces: Network namespace (Part 4)

In the first part of the series we have talked generally about what are namespace and what we can do with them — in case you want to go over it you can use the following link https://medium.com/@boutnaru/linux-namespaces-part-1-dcee9c40fb68. Now we are going to deep dive into the network namespaces.

First, in order for the kernel to support network namespaces we need to compile the kernel with “CONFIG_NET_NS” enabled. Overall, network namespaces can separate/isolate/segregate between the different system resources which are associated with networking under Linux. Among those resources are: firewall rules, routing tables (IP), IPv4 and IPv6 protocol stacks, sockets, different directories related to the networking subsystem (like: “/proc/[PID]/net”, “/proc/sys/net”, “/sys/class/net” and more), etc (https://man7.org/linux/man-pages/man7/network_namespaces.7.html).

By the way, unix domain sockets are also isolated using network namespaces (“man 7 unix”). It is important to understand that a physical network device can exist in one network namespace at a time (singleton). In case the last process in a network namespace returns/exits, Linux frees the namespace which moves the physical network device to the initial network namespace.

Moreover, in case we want to create a bridge to a network device which is part of a different namespace we can use a virtual network device. It can create tunnels between network namespaces (https://man7.org/linux/man-pages/man4/veth.4.html).

Lastly, you can see an example of creating a network namespace in the screenshot below, it is created by the “unshare” CLI tool (“man 1 unshare”). As you can see an iptables rule is created but it is not relevant to the newly created network namespace.

You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru).