2
2
I need to bind one program to the wlan1
interface, all other programs by default should use wlan0
.
For this reason I configured dedicated network namespace:
ip netns add wlan1_ns
ip link add vwlan1a type veth peer name vwlan1b
ip link set vwlan1a netns wlan1_ns
ip addr add 10.200.1.1/24 dev vwlan1b
ip link set vwlan1b up
ip netns exec wlan1_ns ip addr add 10.200.1.2/24 dev vwlan1a
ip netns exec wlan1_ns ip link set vwlan1a up
ip netns exec wlan1_ns ip link set lo up
ip netns exec wlan1_ns ip route add default via 10.200.1.1
iptables -t nat -A POSTROUTING -s 10.200.1.0/255.255.255.0 -o wlan1 -j MASQUERADE
iptables -A FORWARD -i wlan1 -o vwlan1b -j ACCEPT
iptables -A FORWARD -o wlan1 -i vwlan1b -j ACCEPT
After doing this I expect that domain names resolving will work in my new namespace, but apparently it is not, why?:
$ sudo ip netns exec wlan1_ns ping -v google.com
ping: socket: Permission denied, attempting raw socket...
ping: socket: Permission denied, attempting raw socket...
ping: google.com: Temporary failure in name resolution
... while in root namespace host resolving works fine (wlan1
is not connected to Internet, thus packet loss, but do not bother about that):
# ping google.com
PING google.com (216.58.212.238) 56(84) bytes of data.
^C
--- google.com ping statistics ---
122 packets transmitted, 0 received, 100% packet loss, time 125718ms
When I use ping/curl with IP instead of domain name than requests go out correctly. I have run out of ideas why resolving does not work. I am doing this in RaspberryPi 3, Raspbian, kernel 4.9. Please find below what I have already investigated.
nsswitch.conf file:
$ cat /etc/nsswitch.conf | grep host
hosts: files mdns4_minimal [NOTFOUND=return] dns
resolvconf responses for root namespace:
$ resolvconf -l
# resolv.conf from lo.dnsmasq
nameserver 127.0.0.1
# resolv.conf from wlan1
# resolv.conf for wlan1
domain coova.org
nameserver <<ANONYMIZED DNS IP>>
nameserver <<ANONYMIZED DNS IP>>
resolvconf in my namespace:
$ ip netns exec wlan1_ns resolvconf -l
# resolv.conf from lo.dnsmasq
nameserver 127.0.0.1
# resolv.conf from wlan1
# resolv.conf for wlan1
domain coova.org
nameserver <<ANONYMIZED DNS IP>>
nameserver <<ANONYMIZED DNS IP>>
iptables in root namespace
$ sudo iptables -v --list
Chain INPUT (policy ACCEPT 641 packets, 63289 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 171 packets, 90385 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- wlan1 vwlan1b anywhere anywhere
32 1816 ACCEPT all -- vwlan1b wlan1 anywhere anywhere
Chain OUTPUT (policy ACCEPT 802 packets, 91050 bytes)
pkts bytes target prot opt in out source destination
iptables in my namespace:
$ sudo ip netns exec wlan1_ns iptables -v --list
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
EDIT - tried solution suggested in answer below, without result
Configured resolvconf to point the reachable dnsmasq IP:
pi@raspberrypi:~ $ sudo sh -c "echo nameserver 172.24.1.1 | resolvconf -a lo.dnsmasq"
Too few arguments.
Too few arguments.
pi@raspberrypi:~ $ resolvconf -l
# resolv.conf from lo.dnsmasq
nameserver 172.24.1.1
# resolv.conf from wlan1
# resolv.conf for wlan1
domain coova.org
nameserver <<ANONYMIZED _IP>>
nameserver <<ANONYMIZED _IP>>
To prove IP is reachable, dig
correctly resolves domainname:
pi@raspberrypi:~ $ sudo sh -c "ip netns exec wlan1_ns dig +short @172.24.1.1 google.com"
172.217.17.142
... while ping
still has problems:
pi@raspberrypi:~ $ sudo sh -c "ip netns exec wlan1_ns ping -v google.com"
ping: socket: Permission denied, attempting raw socket...
ping: socket: Permission denied, attempting raw socket...
ping: google.com: Temporary failure in name resolution
Thank you @dzida for adding bounty. The only given answer until now did not solve the issue. Even if suggestion was good - so big thanks for the effort. Bounty is still waiting. – Paweł Gutowski – 2017-09-26T09:22:43.993
The problem with network namespaces is that the C library DNS resolution can't really distinguish between them. If you read
man ip-netns
, it tells you that there are namespace-specific resolver configurations, but not all applications work with them. So depending on what applications you need to run, you may need an additional mount namespace to have two/etc/resolv.conf
for each namespace, which you can configure properly. And of course DNS resolution from thewlan1
namespace must go to adnsmasq
running inwlan0
accessible inwlan1
. – dirkt – 2019-05-19T06:53:23.830