Tech Study Guide
Network Namespaces and Virtual Networking
Linux network namespaces, veth pairs, bridges, macvlan, ipvlan, tun/tap, VXLAN, overlays, and CNI-style packet paths.
Network Namespaces and Virtual Networking
Linux can give processes separate network stacks with network namespaces. Each namespace has its own interfaces, routes, addresses, neighbor table, firewall rules, sockets, and /proc/net view. Containers, Kubernetes pods, test labs, and service meshes all build on this idea.
Virtual networking connects those isolated stacks with veth pairs, bridges, routing, NAT, overlays, and policy.
Command Examples
ip netns list
lsns -t net
readlink /proc/<pid>/ns/net
nsenter --target <pid> --net -- ip addr
nsenter --target <pid> --net -- ip route
Example output and meaning:
| Command | Example output | What it does |
|---|---|---|
ip netns list |
Concrete IDs, states, counters, versions, rows, or error strings. |
Turns the example from a command list into evidence for the next debugging step. |
lsns -t net |
Concrete IDs, states, counters, versions, rows, or error strings. |
Turns the example from a command list into evidence for the next debugging step. |
readlink /proc/<pid>/ns/net |
mnt:[4026532738] or net:[4026532741]. |
Identifies whether two processes share the same namespace. |
Always confirm which namespace owns the socket or interface before debugging routes or captures.
Core Building Blocks
| Building Block | Role |
|---|---|
| Network namespace | Isolated network stack. |
| veth pair | Two connected virtual Ethernet devices; packets entering one exit the other. |
| Linux bridge | L2 switch inside the kernel. |
| macvlan | Gives virtual interfaces distinct MAC addresses on a parent link. |
| ipvlan | Gives virtual interfaces distinct IP identities with different L2 behavior than macvlan. |
| tun/tap | User-space virtual network device for routed or Ethernet-style packets. |
| VXLAN | Encapsulates L2 frames over UDP for overlay networks. |
| nftables/iptables | Firewall, NAT, and policy hooks. |
These are composable. A container may have eth0 in its namespace, backed by a veth peer on the host, attached to a bridge, then NATed out of the node.
Minimal Namespace Lab
Create two namespaces connected through veth:
sudo ip netns add left
sudo ip netns add right
sudo ip link add veth-left type veth peer name veth-right
sudo ip link set veth-left netns left
sudo ip link set veth-right netns right
sudo ip -n left addr add 10.10.0.1/24 dev veth-left
sudo ip -n right addr add 10.10.0.2/24 dev veth-right
sudo ip -n left link set veth-left up
sudo ip -n right link set veth-right up
sudo ip -n left ping -c 3 10.10.0.2
Delete when done:
sudo ip netns del left
sudo ip netns del right
This lab teaches the core container pattern without Docker or Kubernetes.
Bridges and NAT
A common host-container shape:
container netns eth0
-> veth peer on host
-> Linux bridge
-> host route / NAT
-> physical NIC
Useful checks:
ip link show type bridge
bridge link
bridge fdb show
nft list ruleset
conntrack -L 2>/dev/null | head
If the bridge learns no MAC address, L2 is broken. If bridge forwarding works but external traffic fails, check routing, NAT, firewall policy, and return path.
macvlan, ipvlan, and Host Reachability
macvlan and ipvlan attach virtual interfaces directly to a parent interface model. They are useful when workloads need first-class addresses on the physical network, but host-to-child reachability can surprise people.
| Mode | Common Use | Caveat |
|---|---|---|
| macvlan bridge | Containers appear as separate MACs on the LAN. | Parent network must allow multiple MACs; host reachability needs design. |
| ipvlan L2 | Multiple IPs share parent L2 behavior. | Less MAC churn, but still depends on upstream policy. |
| ipvlan L3 | Host routes to child networks. | Requires explicit routing. |
Cloud networks and hypervisors often restrict unknown MACs, making macvlan a poor fit.
VXLAN and Overlays
VXLAN wraps L2 frames in UDP, commonly port 4789, so workloads can share an overlay network across routed underlays.
Key troubleshooting points:
- Underlay IP routing must work first.
- Effective MTU is smaller because encapsulation adds headers.
- Firewalls must allow overlay UDP traffic.
- Control plane must distribute endpoint and VNI information.
- Packet captures may need both overlay and underlay vantage points.
CNI-Style Packet Paths
Kubernetes CNI plugins combine these primitives differently:
| CNI Shape | Packet Path |
|---|---|
| Bridge/NAT | Pod veth to bridge, node NAT for egress. |
| Routed | Pod veth with node routes to pod CIDRs. |
| Overlay | Pod traffic encapsulated across nodes. |
| eBPF datapath | BPF programs replace or shortcut parts of bridge, kube-proxy, or netfilter behavior. |
The first debugging step is identifying the plugin and datapath mode. Do not assume every cluster uses a Linux bridge.
Runbook
- Find the process PID and network namespace.
- Run
ip addr,ip route, andssinside that namespace. - Map namespace interfaces to host veth peers with
ip link. - Check bridge membership, FDB entries, routes, NAT, and firewall counters.
- Capture inside the namespace and on the host peer when possible.
- For overlays, check underlay reachability, UDP encapsulation, and MTU.
- For Kubernetes, identify the CNI plugin before applying generic fixes.
Study Cards
What does a network namespace isolate?
Interfaces, addresses, routes, neighbor tables, sockets, firewall rules, and /proc/net views.
What is a veth pair?
Two connected virtual Ethernet devices where packets entering one side exit the other.
Why can VXLAN create MTU problems?
Encapsulation adds headers, reducing the effective payload size available to workload packets.
Why identify the CNI plugin before debugging pod networking?
Different CNIs use bridge, routing, overlay, or eBPF datapaths with different failure points.