Linux – LXC container to use “virtual” interface from host (namespace semantics)

linux-kernellxcnamespacenetworking

So according to the documentation on the Ubuntu LXC documentation the following statement can be found at the time of this writing:

A NIC can only exist in one namespace at a time, so a physical NIC passed into the container is not usable on the host.

Now one can have a single physical network card (NIC) share several IPs like this in /etc/network/interfaces (Debian/Ubuntu):

auto eth0 eth0:1
iface eth0 inet static
    address 192.168.0.100/24
    gateway 192.168.0.1
iface eth0:1 inet static
    address 192.168.0.200
    netmask 255.255.255.0

The same can be done with the respective configuration on other distros as well.

Now the question: can eth0 and eth0:1 be assigned to different namespaces or will assigning either one limit the other to the same namespace automatically?

Best Answer

It should be possible to assign eth0 and eth0:1 to different namespaces, but keep in mind there are security implications because you are exposing physical network device to your container.

Because of that, I would just use veth and bridge. Create a bridge br0 and bridge it with eth0 device by default. Then configure your lxc container like this:

lxc.network.type=veth
lxc.network.ipv4=192.168.0.200
lxc.network.link=br0

This will have the same result, but you will use a virtual Ethernet interface for the container and you will also be able to access the same network that your LXC host is in because of the bridge.

Related Solutions

Debian Networking – Fixing `RTNETLINK answers: File exists` Error

I got it that I had to flush the device before bringing it up:

# ip addr flush dev eth1

Clearing manually set interface configuration information like this is mentioned in the Ubuntu Server Guide.

How to forward traffic across two Ethernet cards

Your issue is mainly the route configuration of the hosts. I assume your current setup is as follow:

enp1s0 interface has ip address 192.168.1.1/24
enp3s0 interface has ip address 192.168.176.1/24

For hosts between the two IP network to communicate, they need a dedicated entry in their routing table.

The hosts on 192.168.1.0/24 that need to access the IP camera need to know that 192.168.1.1 is the router for 192.168.176.0/24.
The hosts on 192.168.176.0/24 need a route to 192.168.1.0/24.

Now I assume that the static/DHCP configuration for the IP cameras is to route default traffic through 192.168.176.1, so they know where to send packets for the PCs. But the PCs on 192.168.1.0/24 have only one default entry the internet router. So any packet to 192.168.176.0/24 get sent there and lost.

You can either

configure your DHCP router on 192.168.1.0/24 to advertise a static route to 192.168.176.0/24 via 192.168.1.1 with the "classless static route" option
add manually 192.168.1.1 as a gateway to 192.168.176.0/24 on the PCs

You will also need to flush your iptables rules. The POSTROUTING rule will mess up the routing and the FORWARD rule is useless (unless you have a DROP policy).

iptables -t nat -F POSTROUTING
iptables -F FORWARD

Your cameras could see the PCs because they were configured with a default gateway of 192.168.176.1 and the nat POSTROUTING entry. For example if IP camera 192.168.176.10 sends a packet to PC 192.168.1.20, the packet will first be sent to 192.168.176.1 (enp3s0) the default gateway. The Ubuntu PC will forward the packet to enp1s0, rewriting the sender's address as its own, 192.168.1.1. When 192.168.1.20 replies the packet, it sends it back to the substituted address, 192.168.1.1. When the Ubuntu PC receives it, it knows it is a reply to the IP camera 192.168.176.10. So it rewrites the destination address to 192.168.176.10 and fowards it through enp3s0.

Now you don't want to mess packets with NAT, you just need IP routing. In the preceding example, the PC sees the camera IP address as 192.168.1.1, as it was substituted by the Ubuntu PC. Once you have set correct routes,

in a connection initiated by the PC to the camera, the PC will see the camera IP address as 192.168.176.10.
in a connection initiated by the camera to the PC, the PC will still see the camera IP address as 192.168.1.1 (NAT'ed address)

For simple IP devices, the second is unlikely to matter. But that could lead to buggy behaviour. As an example, if you had a managed switch and you wanted to use SNMP traps. You should delete the iptables -t nat -A POSTROUTING -j MASQUERADE rule.

One issue that will arise: Do you want your IP cameras to access the internet? If not, I would include an iptables FORWARD route to deny packets from 192.168.176.0/24 going anywhere except 192.168.1.0/24. If you wish to grant access, you will need to configure your router with a static route to 192.168.176.0/24.

Best Answer

Related Solutions

Debian Networking – Fixing `RTNETLINK answers: File exists` Error

How to forward traffic across two Ethernet cards

Related Question