Automatically move physical network interfaces to namespace

networkingsystemdudev

I would like all of the physical interfaces on my system to live within a specific network namespace called "physical". It's easy enough to move devices over manually using commands like ip link set enp2s0 netns physical and iw phy phy0 set netns name physical, but I would like this to happen automatically both at boot and for any devices connected at runtime.

It seems like the best way to accomplish this would be via udev rules, or possibly some systemd magic.

My first thought was just to write a udev rule that runs the appropriate command, but I ran into a couple of questions I haven't been able to answer via my searches:

How do I distinguish physical interfaces from virtual interfaces?
How do I tell WLAN interfaces apart so I can issue the iw command instead of the ip command?
How do I get the name of a WLAN phy so I can pass it to the iw command?

I was hoping the above would be relatively straightforward, but I don't see any obvious distinguishing factors in udevadm info.

Best Answer

Most of these informations are retrievable from /sys:

1a. /sys/class/net/ : list of network devices, all types included

1b. /sys/devices/virtual/net/ : list of virtual network devices: includes lo, tunnels, veth, bridges ... so if it's in the former but not this one, it should be physical.

if a device is a modern wireless device (driver), it will have the entry /sys/class/net/<device>/phy82011/name, eg:

$ grep -s --with-filename ''  /sys/class/net/*/phy80211/name
/sys/class/net/wlan0/phy80211/name:phy0
/sys/class/net/wlan1/phy80211/name:phy1
/sys/class/net/wlan2/phy80211/name:phy2

So by running the adequate script from udev environment and comparing with those directories and files from /sys, you should have all the needed informations to do it.

Just as a side note, if later, to work on those devices, you change only the network namespace (eg using nsenter --net=/var/run/netns/physical), /sys will still be in the host's mount namespace, and won't reflect the arrival of those devices but will instead show them missing. Using ip netns exec physical command is fine, it does change mount namespace and remounts /sys for you.

Related Solutions

Linux – How to Find Available Network Interfaces

The simplest method I know to list all of your interfaces is

ifconfig -a

EDIT

If you're on a system where that has been made obsolete, you can use

ip link show

Linux – Trying to run OpenVPN in Network Namespace

Starting openvpn inside the network namespace is safer. I use the following script (fork of Schnouki's) to create namespace, configure firewall, DNS, test connectivity, start openvpn, and finally start a torrent client. I put TODOs in the script where you have to adjust it to your needs.

#!/bin/sh
# start openvpn tunnel and torrent client inside Linux network namespace
#
# this is a fork of schnouki's script, see original blog post
# https://schnouki.net/posts/2014/12/12/openvpn-for-a-single-application-on-linux/
#
# original script can be found here
# https://gist.github.com/Schnouki/fd171bcb2d8c556e8fdf

# ------------ adjust values below ------------
# network namespace
NS_NAME=myVPN
NS_EXEC="ip netns exec $NS_NAME"
# user for starting the torrent client
REGULAR_USER=heinzwurst
# ---------------------------------------------

# exit on unbound variable
set -u

# exit on error
set -e
set -o pipefail

# trace option
#set -x

if [ $USER != "root" ]; then
    echo "This must be run as root."
    exit 1
fi

start_vpn() {
    echo "Add network interface"

    # Create the network namespace
    ip netns add $NS_NAME

    # Start the loopback interface in the namespace
    $NS_EXEC ip addr add 127.0.0.1/8 dev lo
    $NS_EXEC ip link set lo up

    # Create virtual network interfaces that will let OpenVPN (in the
    # namespace) access the real network, and configure the interface in the
    # namespace (vpn1) to use the interface out of the namespace (vpn0) as its
    # default gateway
    ip link add vpn0 type veth peer name vpn1
    ip link set vpn0 up
    ip link set vpn1 netns $NS_NAME up

    ip addr add 10.200.200.1/24 dev vpn0
    $NS_EXEC ip addr add 10.200.200.2/24 dev vpn1
    $NS_EXEC ip link set dev vpn1 mtu 1492
    $NS_EXEC ip route add default via 10.200.200.1 dev vpn1

    # Configure the nameserver to use inside the namespace
    # TODO use VPN-provided DNS servers in order to prevent leaks
    mkdir -p /etc/netns/$NS_NAME
    cat >/etc/netns/$NS_NAME/resolv.conf <<EOF || exit 1
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF

    # IPv4 NAT, you may need to adjust the interface name prefixes 'eth' 'wlan'
    iptables -t nat -A POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t nat -A POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t mangle -A PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff

    # TODO create firewall rules for your specific application (torrent)
    # or just comment the line below
    $NS_EXEC iptables-restore < /etc/iptables/iptables-$NS_NAME.rules

    # we should have full network access in the namespace
    $NS_EXEC ping -c 3 www.google.com

    # start OpenVPN in the namespace
    echo "Starting VPN"
    cd /etc/openvpn
    # TODO create openvpn configuration in /etc/openvpn/$NS_NAME.conf
    $NS_EXEC openvpn --config $NS_NAME.conf &

    # wait for the tunnel interface to come up
    while ! $NS_EXEC ip link show dev tun0 >/dev/null 2>&1 ; do sleep .5 ; done
}

stop_vpn() {
    echo "Stopping VPN"
    ip netns pids $NS_NAME | xargs -rd'\n' kill
    # TODO wait for terminate

    # clear NAT
    iptables -t nat -D POSTROUTING -o eth+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t nat -D POSTROUTING -o wlan+ -m mark --mark 0x29a -j MASQUERADE
    iptables -t mangle -D PREROUTING -i vpn0 -j MARK --set-xmark 0x29a/0xffffffff

    echo "Delete network interface"
    rm -rf /etc/netns/$NS_NAME

    ip netns delete $NS_NAME
    ip link delete vpn0
}

# stop VPN on exit (even when error occured)
trap stop_vpn EXIT

start_vpn

# TODO start your favorite torrent client
$NS_EXEC sudo -u $REGULAR_USER transmission-gtk

Best Answer

Related Solutions

Linux – How to Find Available Network Interfaces

Linux – Trying to run OpenVPN in Network Namespace

Related Question