Unix & Linux
linux networking network-namespaces
Updated Sat, 23 Jul 2022 13:27:49 GMT

Sharing the loopback interface across network namespaces


I'm interested in using a separate namespace for running a VPN client, so that every process I run into that namespace accesses the Internet through the VPN. That part I've managed to accomplish.

However, some programs communicate through the loopback interface (e.g. a daemon I want to talk to the Internet using the VPN and a separate administration interface I want to access through the public IP of my machine) and they cannot see each other.

Is there any way to configure a network namespace to use the same loopback as the global namespace?




Solution

No, there is not a way to do that. That would break the very concept behind separation of network namespaces. There is one and only one way to "escape" that separation, and it's veth interfaces.

In a little bit more detail, it wouldn't just be a matter of somehow "sharing" a loopback interface between network namespaces. Each network namespace is logically another copy of the network stack, with it's [sic] own routes, firewall rules, and network devices. In the context of this "sharing", which routing table and firewall rules would apply? You can even have multiple different processes both bound and listening to the same TCP/IP address and port number in different network namespaces, and which one would then pick up the incoming packets? It fundamentally does not work.