Article From:

Create network namespace

# ip netns add blue

# ip netns list



Add the net to namespace

Create Veth first

# ip link add veth0 type veth peer name veth1

In the current namespace, you can see veth0 and veth1

# ip link list

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000

    link/ether 00:0c:29:b2:cf:72 brd ff:ff:ff:ff:ff:ff

3: veth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000

    link/ether ae:0d:00:e1:11:38 brd ff:ff:ff:ff:ff:ff

4: veth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000

    link/ether 42:e7:50:d4:bb:c5 brd ff:ff:ff:ff:ff:ff


Add veth1 to namespace “blue”

# ip link set veth1 netns blue

At this point, the current namepapce can only see veth0.


The following commands can be used to view the blue namespace network port.

# ip netns exec blue ip link list



Configuring the web port of network namespace

The network port of namespace can be configured through IP netns exec.

# ip netns exec blue ifconfig veth1 up


network namespaceCommunication between the network port and the physical network card

It is realized by bridge. See the Veth pair section.


Main reference

[0]Introducing Linux Network Namespaces


veth pair

veth pairIt is a way to communicate between different network namespace. Veth pair sends a network namespace data to another Veth of network namespace. As follows:



# add the namespaces

ip netns add ns1

ip netns add ns2

# create the veth pair

ip link add tap1 type veth peer name tap2

# move the interfaces to the namespaces

ip link set tap1 netns ns1

ip link set tap2 netns ns2

# bring up the links

ip netns exec ns1 ip link set dev tap1 up

ip netns exec ns2 ip link set dev tap2 up


If multiple network namespace needs to communicate, then bridge is needed.


# add the namespaces

ip netns add ns1

ip netns add ns2

# create the switch


brctl addbr $BRIDGE

brctl stp   $BRIDGE off

ip link set dev $BRIDGE up


#### PORT 1

# create a port pair

ip link add tap1 type veth peer name br-tap1

# attach one side to linuxbridge

brctl addif br-test br-tap1

# attach the other side to namespace

ip link set tap1 netns ns1

# set the ports to up

ip netns exec ns1 ip link set dev tap1 up

ip link set dev br-tap1 up


#### PORT 2

# create a port pair

ip link add tap2 type veth peer name br-tap2

# attach one side to linuxbridge

brctl addif br-test br-tap2

# attach the other side to namespace

ip link set tap2 netns ns2

# set the ports to up

ip netns exec ns2 ip link set dev tap2 up

ip link set dev br-tap2 up



Kernel Implementation

vethThe implementation is similar to loopback interface, relatively simple:


static netdev_tx_t veth_xmit(struct sk_buff *skb, struct net_device *dev)


struct net_device *rcv = NULL;

struct veth_priv *priv, *rcv_priv;


priv = netdev_priv(dev);

rcv = priv->peer;

rcv_priv = netdev_priv(rcv);


stats = this_cpu_ptr(priv->stats);


length = skb->len;

   //Forward to peer

if (dev_forward_skb(rcv, skb) != NET_RX_SUCCESS)


goto rx_drop;



NETIF_F_NETNS_LOCALIt is a feature of network devices, and network devices that set up this feature are not allowed to move between different network namespace. Such devices are also called local devices.

Loopback,VXLAN,PPP,bridgeIt’s all of this kind of equipment. You can see this value through ethtool -k, or ethtool – show- features:

# ethtool -k br0

netns-local: on [fixed]


If network namespace is used for such devices, the following error will be reported:

# ip link set br0 netns ns1

RTNETLINK answers: Invalid argument


Refer to “Resource management:Linux kernel Namespaces and cgroups”.

Main reference

[0]Linux Switching – Interconnecting Namespaces


Transfer from:

Configuration reference:

Link of this Article: Linux Network namespace

Leave a Reply

Your email address will not be published. Required fields are marked *