Network namespaces does not work anymore

Hello,

I just switched from Leap 15.1 to Tumbleweed. Until now I used following procedure to create a vpn tunnel for a single application:

ip netns add dvpn

ip netns exec dvpn ip addr add 127.0.0.1/8 dev lo
ip netns exec dvpn ip link set lo up

ip link add vpn0 type veth peer name vpn1
ip link set vpn0 up
ip link set vpn1 netns dvpn up
ip addr add 10.200.200.1/24 dev vpn0
ip netns exec dvpn ip addr add 10.200.200.2/24 dev vpn1
ip netns exec dvpn ip route add default via 10.200.200.1 dev vpn1

iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o e+ -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1

mkdir -p /etc/netns/dvpn
echo 'nameserver 8.8.8.8' > /etc/netns/dvpn/resolv.conf

ip netns exec dvpn openvpn --config test.conf

This worked fine in Leap 15.1. I tried it now in Leap 15.2 and under Tumbleweed and I get a “No route to host” error message. A ping however works fine

ip netns exec dvpn ping -c 3 www.google.com
PING www.google.com (172.217.12.4) 56(84) bytes of data.
64 bytes from den02s02-in-f4.1e100.net (172.217.12.4): icmp_seq=1 ttl=111 time=262 ms
64 bytes from den02s02-in-f4.1e100.net (172.217.12.4): icmp_seq=2 ttl=111 time=261 ms
64 bytes from den02s02-in-f4.1e100.net (172.217.12.4): icmp_seq=3 ttl=111 time=262 ms

--- www.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 261.769/262.076/262.371/0.484 ms

Does anyone know what has changed that within the namespace the routing is not working anymore?
Any help is appreciated.

Thank you,

Erie

Can you demonstrate using exact command (and output) with respect to the affected application?

Do dig or nslookup behave as expected?

ip netns exec dvpn dig google.com
ip netns exec dvpn nslookup google.com

Ok, It looks like it has to do with my firewall settings. If I first stop the firewall and then set up the namespace the connection works:


kronecker:~ # systemctl stop firewalld.service 
kronecker:~ # ip netns add dvpn
kronecker:~ # ip netns exec dvpn ip addr add 127.0.0.1/8 dev lo
kronecker:~ # ip netns exec dvpn ip link set lo up
kronecker:~ # ip link add vpn0 type veth peer name vpn1
kronecker:~ # ip link set vpn0 up
kronecker:~ # ip link set vpn1 netns dvpn up
kronecker:~ # ip addr add 10.200.200.1/24 dev vpn0
kronecker:~ # ip netns exec dvpn ip addr add 10.200.200.2/24 dev vpn1
kronecker:~ # ip netns exec dvpn ip route add default via 10.200.200.1 dev vpn1
kronecker:~ # iptables -A INPUT \! -i vpn0 -s 10.200.200.0/24 -j DROP
kronecker:~ # iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o e+ -j MASQUERADE
kronecker:~ # sysctl -q net.ipv4.ip_forward=1
kronecker:~ # mkdir -p /etc/netns/dvpn
kronecker:~ # echo 'nameserver 8.8.8.8' > /etc/netns/dvpn/resolv.conf
kronecker:~ # ip netns exec dvpn ping www.google.com
PING www.google.com (172.217.6.132) 56(84) bytes of data.
64 bytes from dfw25s16-in-f4.1e100.net (172.217.6.132): icmp_seq=1 ttl=112 time=37.0 ms
64 bytes from dfw25s16-in-f4.1e100.net (172.217.6.132): icmp_seq=2 ttl=112 time=36.3 ms
64 bytes from dfw25s16-in-f4.1e100.net (172.217.6.132): icmp_seq=3 ttl=112 time=25.2 ms
^C
--- www.google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 25.202/32.847/37.038/5.414 ms
kronecker:~ # ip netns exec dvpn dig google.com

; <<>> DiG 9.16.5 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38020
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             247     IN      A       172.217.1.206

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Sep 01 11:22:50 MDT 2020
;; MSG SIZE  rcvd: 55

However when I start the firewall I get the “no route to host” error message

kronecker:~ # systemctl start firewalld.service 

kronecker:~ # ip netns exec dvpn ssh kepler
ssh: connect to host kepler port 22: No route to host

The really strange thing is that when I stop the firewall again the commands in the namespace are timing out instead of working:


kronecker:~ # systemctl stop firewalld.service 
kronecker:~ # ip netns exec dvpn dig google.com

; <<>> DiG 9.16.5 <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

kronecker:~ # ip netns exec dvpn ssh kepler
ssh: connect to host kepler port 22: Connection timed out

Here are my firewall settings:

kronecker:~ # firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno2 wlo1
  sources: 
  services: dhcpv6-client ssh tlagent tlmaster tlwebaccess tlwebadm
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Starting firewalld most likely removes all your rules (including masquerading) added before, stopping firewalld is not going to add them back. Did you actually check what rules are present?

Add direct rules to firewalld instead.

You are right. When I start the firewall I lose all my masquerading rules. When I stop the firewall remove the namespace with

ip netns delete dvpn

and set it up again, it works again.

But what firewall rules do I have to add to let the namespace traffic go through the firewall?
How can I see if the outgoing or the incoming traffic is blocked?

Ok I got it to work when I added MASQUERADING to the public zone.


Chain POST_public_allow (1 references)
target     prot opt source               destination         
MASQUERADE  all  --  anywhere             anywhere

THANK YOU for your comments and help! It is highly appreciated.