Netns
Netns (network namespaces) are another instance of the network stack with its own network devices (links), ip setup and firewall rules. Besides of using netns for building containers they can be used to get a stricter isolation than using VRFs.
Prerequisites
The packages and patches described in this article are available in Alpine edge and ≥3.19.
NETNS management
iproute2
Netns can be ad-hoc managed using the ip netns commands.
ip netns ip netns add tenant1 ip netns del tenant1 ip netns exec tenant1 ip -br link
ifstate
IfState, a declarative network configuration tool, is full netns aware since IfState 1.9.0. The following config example creates a wireguard tunnel and a vlan sub-interface. The wireguard link wg0 and the vlan sub-interface are moved into the vpn netns.
# root netns
interfaces:
- name: eth0
addresses:
- 198.51.100.2/31
link:
state: up
kind: physical
routing:
routes:
- to: 0.0.0.0/0
via: 198.51.100.1
rules: []
namespaces:
# "vpn" netns
vpn:
interfaces:
- name: eth0.42
addresses:
- 192.0.2.1/25
link:
state: up
kind: vlan
vlan_id: 42
link: eth0
# link to eth0 in root netns
link_netns: null
- name: wg0
addresses:
- 192.0.2.254/30
link:
state: up
kind: wireguard
# bind wireguard to the root netns
bind_netns: null
wireguard:
private_key: !include /etc/wireguard/secret.key
peers:
- public_key: 3Eimby+9YtJwtx+peCsz6RiubRqAp+cATHNiGWsUsEU=
endpoint: 203.0.113.42
persistent_keepalive_interval: 30
allowedips:
- 0.0.0.0/0
routing:
routes: []
- to: 0.0.0.0/0
dev: wg0
rules: []
NETNS-based Service Isolation
Services can be run isolated in a NETNS (and VRF inside the NETNS) when running OpenRC 0.49.0-r1+. You can set the $netns variable for the service in /etc/conf.d in most cases.
The netns must already be created before a service can be started inside of it!
NETNS-compatible initd scripts
Not all initd scripts might be netns compatible. Some network stack related packages have been patched to be netns aware:
- ipset - iptables - nftables