1. Network Namespaces

Docker, LXC, are Virtual Environments, with much less overhead compared to Virtual Machines as there is no Guest OS. Containers are built on the following components:

  • cgroups (Control Groups), limit and account resource usage of a collection of processes including CPU/ cores, memory, block I/O, network (tc, iptables).
  • Namespaces, isolate and virtualize system resources of a collection of processes, including PIDs, hostnames, user IDs, network, filesystems.

Network namespaces virtualize the network stack: a network namespace is (logically) another copy of the network stack with its own network interfaces, iptables rules, routing tables, sockets. On creation a network namespace only contains the loopback device, then you can create virtual interfaces or move physical interfaces to the namespace. A network interface belongs to exactly one network namespace. Containers usually use virtual interface pairs (veth driver), eth0 in the container namespace is paired (logically cross- connected) with vethXXX in the host namespace.

PF_RING natively supports Network namespaces and exports sockets informations under /proc/net/pf_ring/. There is a /proc/net/pf_ring/ view for each namespace. When you open a socket on an interface, it capture traffic from that interface in the current namespace. The ‘any’ interface is an exception, with this interface name traffic from all namespaces is captured.

The ip netns command can be used to play with network namespaces as in the examples below.

Create a network namespace ns0:

ip netns add ns0

List all network namespaces:

ip netns list

Move a network interface eth1 to the network namespace ns0:

ip link set eth1 netns ns0

List all interfaces registered with pf_ring in the host (default namespace):

ls /proc/net/pf_ring/dev/

List all interfaces registered with pf_ring in the namespace ns0:

ip netns exec ns0 ls /proc/net/pf_ring/dev/

Bring the interface eth1 up in the namespace ns0:

ip netns exec ns0 ifconfig eth1 up

Run pfcount in the network namespace ns0 capturing from eth1:

ip netns exec ns0 pfcount -i eth1

Delete the network namespace ns0 (all interfaces in ns0 will move back to the host default namespace):

ip netns del ns0