3

I'm trying to set up two network namespaces to communicate with eachother. I've set up two namespaces, ns0 and ns1 that each have a veth pair, where the non-namespaced side of the veth is linked to a bridge.

I set it up like this:

ip link add veth0 type veth peer name brveth0
ip link set brveth0 up

ip link add veth1 type veth peer name brveth1
ip link set brveth1 up

ip link add br10 type bridge
ip link set br10 up

ip addr add 192.168.1.11/24 brd + dev br10

ip netns add ns0
ip netns add ns1

ip link set veth0 netns ns0
ip link set veth1 netns ns1



ip netns exec ns0    ip addr add 192.168.1.20/24 dev veth0
ip netns exec ns0    ip link set veth0 up
ip netns exec ns0    ip link set lo up

ip netns exec ns1    ip addr add 192.168.1.21/24 dev veth1
ip netns exec ns1    ip link set veth1 up
ip netns exec ns1    ip link set lo up


ip link set  brveth0 master br10
ip link set  brveth1 master br10

As expected, I can ping the interface in ns0 from ns1.

$ sudo ip netns exec ns1 ping -c 3  192.168.1.20
PING 192.168.1.20 (192.168.1.20) 56(84) bytes of data.
64 bytes from 192.168.1.20: icmp_seq=1 ttl=64 time=0.099 ms
64 bytes from 192.168.1.20: icmp_seq=2 ttl=64 time=0.189 ms

But, I can't connect the two over TCP.

For example, running a server in ns0 :

$ sudo ip netns exec ns0 python3 -m http.server 8080
Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ...

I would expect to be able to curl it from ns1, but that yields an error:

$ sudo ip netns exec ns1 curl 192.168.1.20:8080
curl: (7) Failed to connect to 192.168.1.20 port 8080: No route to host

Why is this happening?

Lee Avital
  • 193
  • 7
  • 1
    Looks like it should work... You can also test with `nc`/`netcat`/`socat` (test in two windows in the main namespace first if you haven't used those, one for the "server" (listens), one for the "client" (connects)). BTW, if you start an xterm in each namespace, debugging is much more pleasant. Oh, and check for `iptables` rules, just in case. – dirkt Oct 11 '19 at 03:13
  • The only possible culprit is the bridge on the host namespace (which gets exposed to firewall rules, [including](http://ebtables.netfilter.org/documentation/bridge-nf.html) to [iptables](http://ebtables.netfilter.org/br_fw_ia/br_fw_ia.html#section7) ). Try the experiment again with a 3rd network namespace where the bridge will be created (bridges can't be moved) and veth links moved and attached accordingly. – A.B May 21 '20 at 02:12

1 Answers1

0

I encountered a similar situation: On a k8s hosts using flannel, podA can ping podB on the same host, but tcp connection was reset by a ICMP reset from cni0. iptables-save shows rules about k8s, and any of them looks fine. nft list ruleset shows rules made by firewalld:

table inet firewalld {

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
        jump filter_FORWARD_ZONES
        ct state invalid drop
        reject with icmpx admin-prohibited
    }

All work fine after I stop the firewalld service: systemctl stop firewalld So, please try to check if there are any other services or kernel modules that may also be using netfiler.

seamaner
  • 1
  • 1