On 4/6/20 3:13 AM, Marco Gaiarin wrote:
Local? Remote? really i don't understand...
Say that there are two physical hosts on the network; A and B.A is the machine that will use a vEth pair to connect a network namespace (container).
Create the network namespace on A. A# ip netns add Ans1 Create the vEth pair on A. A# ip link add ns1 type veth peer name hostA Move one end of the vEth pair into the Ans1 network namespace. A# ip link set hostA netns Ans1 Bring the vEth pair interfaces up. A# ip link set ns1 up A# ip netns exec Ans1 ip link set hostA up Assign IP addresses to the vEth pair. A# ip addr add 192.0.2.1/24 dev ns1 A# ip netns exec Ans1 ip addr add 192.0.2.2/24 dev hostA Add a default gateway in Ans1 A# ip netns exec Ans1 ip route add default via 192.0.2.1 Add a route to B telling it how to get to the subnet on A's vEth pair. B# ip route add 192.0.2.0/24 via $AsIPaddress
Because veth interfaces comes 'in pair', if i can link my WAN interfaces to a veth pair, i can shape on egress on both interface, considering that egress of one interface is ingress for the other(eg, a pipe).
I have not needed to do the following yet, but this is how I would do it.I would move the Internet interface into it's a network namespace, create a vEth pair between said network namespace and the main / default / unnamed network namespace.
The new network namespace would have it's default out the Internet connection, and have a route to the main / default / unnamed network namespace and associated networks behind it (home LAN).
The new network namespace can apply all tc rules to it's end of the vEth pair for traffic that is sent to the main / default / unnamed network namespace.
The main / default / unnamed network namespace can apply all tc rules to it's end of the vEth pair for traffic that is going to the Internet.
This: | +--+--+ | WAN | DHCP | | All one (main / default / unnamed) network namespace. | LAN | Static +--+--+ | Would be turned into this: | +--+--+ | WAN | DHCP | | New network namespace. | vE0 | Static +--+--+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | vE1 | Static | | Original (main / default / unnamed) network namespace. | LAN | Static +--+--+ |Apply tc rules to vE0 for traffic going down. Apply tc rules to vE1 for traffic going up.
It is possible?
Just about anything is possible. It's a question of how difficult is it and is it reasonable to do so.
Aside: I think that you could have the vEth pair be unnumbered and use interface routes.
-- Grant. . . . unix || die
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
