0

I am looking at a shell script that creates a namespace (NSNAME) and a veth pair (veth-in-root, veth0). After it brings up the veths and setting the ip addresses for them, there is this line:

ip -n "$NSNAME" route add fc00:dead:cafe::/48 via "$OUTSIDE_IP6" dev veth0

Where

OUTSIDE_IP6=fc00:dead:cafe:1::1
INSIDE_IP6=fc00:dead:cafe:1::2
ip addr add dev veth-in-root "${OUTSIDE_IP6}/64"
ip -n "$NS" addr add dev veth0 "${INSIDE_IP6}/64"

I'm not exactly sure of the purpose of that line. Is it adding an ip route entry where ip packets originating from inside the namespace with destination addresses in the fc00:dead:cafe::/48 network should be sent to an "external" gateway (fc00:dead:cafe:1::1)? And we can get to that gateway via the dev veth0?

There is a comment in that line saying that it's for "making it easier to communicate between namespaces". I'm not sure I get the intention. What are some use cases where it would be useful or needed to have an entry like this?

Thanks in advance.

Improve this question

1 Answer 1

Reset to default
0

Is it adding an ip route entry where ip packets originating from inside the namespace with destination addresses in the fc00:dead:cafe::/48 network should be sent to an "external" gateway (fc00:dead:cafe:1::1)? And we can get to that gateway via the dev veth0?

Yes, except this "external" gateway is your own host computer (i.e. the initial network namespace).

There's nothing veth-specific in your configuration, nor even IPv6-specific, so ignore namespaces and ignore the terms 'outside' and 'inside' but imagine it as two actual computers connected via Ethernet.

Every veth link is like a direct host-to-host Ethernet connection – if it's not bridged to another ethernet, then it acts as its own isolated Ethernet subnet (and gets its own /64), so naturally it needs some routes to the bigger network.

When you connect two hosts like that, the first thing to do (in your 2nd script) is to assign IP addresses to both "hosts" in that subnet. At this point, host B can talk to host A (being in the same subnet), but has no routes anywhere else at all. So the next thing (done in your 1st script) is to configure some routes to some destinations – such as the bigger network that you're part of.

In the simplest case, you could add a 'default' ::/0 route for Internet access. Here in your example, there's no Internet access, instead the namespace is given access only to the local /48 (which might be either your entire LAN, or just other namespaces on this same host).

There is a comment in that line saying that it's for "making it easier to communicate between namespaces". I'm not sure I get the intention. What are some use cases where it would be useful or needed to have an entry like this?

The comment most likely assumes that there will be more such namespaces on your host, i.e. more veth pairs, each of which will remain its own separate point-to-point connection and be assigned a unique /64 prefix.

If all those prefixes were assigned out of the same /48 (let's say the next namespace got fc00:dead:cafe:2::/64, then the next one got fc00:dead:cafe:3::/64, and so on), then adding a route for the /48 would allow every namespace to reach every other namespace, through the host acting as a router (and potentially a firewall).

Diagram of 4 imaginary hosts, 1 of which is the "router" and has individual connections to 3 other hosts

It may be easier to see the purpose if you imagined that the 1st command added a default route (that is, ::/0) instead of the /48 route, giving that namespace access to the entire IPv6 Internet.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .