[LINUX] Network Namespace routing
Introduction
Here is a continuation of the previous Namespace article.
Last post: Linux Network Namespace1
Now, when I wondered what netns was, it was an acronym for NETwork NameSpace.
I will describe Qiita including what I noticed again.
The reason why communication was possible without the previous router
Originally, networks configured using IP depend on routers. Consists of a bucket relay of packets However, the previously configured IP was __ "belonging to a segment of the same network" __ Communication was possible without a router
So when you need a router Only when you want to communicate with someone with a different segment `
What is a segment?
A part of one thing It seems that there are multiple code segments and data segments I don't think it's relevant this time, so I'll omit it.
The IP address is divided into two parts
IPv4 Binary integer between 32 bits Example) XXXXXXXX00000000 XXXXXXXX00000000
=> Try to divide this at 8-bit intervals Each separated space is called octet Example) XXXXXXXX00000000 XXXXXXXX00000000 => XXXXXXXX.00000000.XXXXXXXX.00000000
Let's convert this to decimal Example) XXXXXXXX.00000000.XXXXXXXX.00000000 => XXX.X.X.0
And this IP address looks like this and is divided into two parts Example) IP address of XXX.X.X.1 XXX.X.X in the first half __Network part __ The latter 1 is called host part
Network part network address
The host part is also called the host address
Why they are separated
__ To identify segment __ => That is, IP addresses with the same network address belong to the same segment.
- XXX.X.X.1
- XXX.X.X.0
If you divide it by the 24th bit Same network address XXX.X.X
Also, the value of veth created last time is
It was something like XXX.X.X.X / 24
This character string __ / 24__ indicates that the 24th bit is the network address.
- XXX.X.X.1/24
- XXX.X.X.2/24
Therefore, the above two belong to the same segment in the network.
Try putting in a router
Install so that communication can be performed via a router between the previous Namespaces ns1 and ns2.
Terminal
$ sudo ip netns add ns1
$ sudo ip netns add router
$ sudo ip netns add ns2
Make from 1 again. Create a namespace called “router” that bridges Next, create a veth interface that connects each Namespace. Since there are 3 Namespaces, a total of 2 interfaces are required.
Terminal
$ sudo ip link add ns1-veth0 type veth peer name gw-veth0
$ sudo ip link add ns2-veth0 type veth peer name gw-veth1
Make each Namespace belong to the created veth interface and make it up
Terminal
$ sudo ip link set ns1-veth0 netns ns1
$ sudo ip link set gw-veth0 netns routes
$ sudo ip link set gw-veth0 netns router
$ sudo ip link set ns2-veth0 netns ns2
$ sudo ip netns exec ns1 ip link set ns1-veth0 up
$ sudo ip netns exec router ip link set gw-veth0 up
$ sudo ip netns exec router ip link set gw-veth0 up
$ sudo ip netns exec ns2 ip link set ns2-veth0 up
Set the IP address
Set between ns1 and router Assign the same segment IP address to each network interface Both are set to the same segment 192.0.2.0/24
Terminal
$ sudo ip netns exec ns1 ip address add 192.0.2.1/24 dev ns1-veth0
$ sudo ip netns exec router ip address add 192.0.2.254/24 dev gw-veth0
Give the same segment IP address between ns2 and router Both are set to the same segment 198.51.100.0/24
Terminal
$ sudo ip netns exec router ip address add 198.51.100.254/24 dev gw-veth1
$ sudo ip netns exec ns2 ip address add 198.51.100.1/24 dev ns2-veth0
You can make the settings as shown in the figure.
Communicate over a router
Make sure you can communicate across segments through the router Try to ping from ns1 to ns2 IP address in the current state
Terminal
$ sudo ip netns exec ns1 ping -c 3 198.51.100.1. -I 192.0.2.1
PING 198.51.100.1 (198.51.100.1) from 192.0.2.1 : 56(84) bytes of data.
ping : sendmsg : Network is unreachable
ping : sendmsg : Network is unreachable
ping : sendmsg : Network is unreachable
—- 198.51.100.1 ping statisics —
3 packets transmitted, 0 received, 100% packet loss , time 2000ms
"Network is unreachable" I get angry when I am told that I cannot reach the network. The cause of communication failure is that there is no routing setting in Network Namespace. Since the information required for the relay for communication was described in the routing table, Check the current routing table
Terminal
$ sudo ip netns exec ns1 ip route show
192.0.2.0/24 dev ns1-veth0 proto karnel scope link src 192.0.2.1
There is one routing entry in the ns1 routing table
192.0.2.0/24宛はns1-veth0というネットワークインターフェースで通信するという内容しかない
In other words, the source of the packet destination, 198.51.100.1, does not match any routing entry.
Because ns1 didn't know who to pass the packet to next
The solution is to add a routing entry to the routing table
Terminal
$ sudo ip netns exec ns1 ip route add default via 192.0.2.254
You can add a routing entry for $ ip route add
Next, I have the same problem with ns2, so set it in the same way.
Terminal
$ sudo ip netns exec ns2 ip route add default via 198.51.100.254
Try to ping ns1 to ns2 again
Terminal
$ sudo ip netns exec ns1 ping -c 3 198.51.100.1 -I 192.0.2.1
PING 198.51.100.1 (198.51.100.1) from 192.0.2.1 : 56(84) butes of data.
— 198.51.100.1 ping statistics—
3 packets transmitted , 0 received , 100% packet loss, time 2000ms
The error is gone, but no response is returned to the ping I sent
It seems that you have to type a command to set kernel parameters called sysctl
This command sets the kernel's net.ipv4.ip_forward to 1 and enables it with a parameter of 1.
Linux doesn't seem to boot as a router unless this parameter is enabled
Terminal
$ sudo ip netns exec router sysctl net.ipv4.ip_forward=1 net.ipv4.ip_forward=1
$ sudo ip netns exec ns1 ping -c 3 198.51.100.1 -I 192.0.2.1
PING 198.51.100.1 (198.51.100.1) from 192.0.2.1 : 56(84) butes of data.
64 bytes from 198.51.100.1 : icmp_seq=1 ttl=63 time=0022ms
64 bytes from 198.51.100.1 : icmp_seq=2 ttl=63 time=0044ms
64 bytes from 198.51.100.1 : icmp_seq=3 ttl=63 time=0066ms
—198.51.100.1 ping statistics —
At the end
Communication passed between ns1 and ns2 via a router. Most of them were quoted from books, and they are still lacking in lethality ,, I would like to learn by looking up words little by little.