slirp4netns — How does it work

slirp4netns provides user-mode networking (“slirp”) for unprivileged network namespaces. This is heavily used in rootless-containers.

Let us examine how it actually works. You can do this without looking at the code (which you really should) using some simple linux tools. What you will find will expose you to some really nice linux features you may not be aware of.

strace the process to examine what happens

It creates a socketpair and clones into the child

The fd is still available in the child process and accessible across the network namespace boundary

Wait for the child to communicate back on the socketpair

Child

Creates the tap interface

The tap fd in the child is 5

Use out of band data to send the fd 5 back to the parent process running on the host

https://linux.die.net/man/2/sendmsg

Parent

Picks up the fd 5. This fd is read from, to get packets from the container.

That is how network traffic makes it across the network ns even though tap interfaces cannot cross a network namespace boundary

--

--

https://github.com/mcastelino https://gist.github.com/mcastelino

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store