Linux Networking Primitives

Adding IPv4/IPv6 addresses to interfaces

ip addr add dev eth0
ip addr add 2001:db8::1/64 dev eth0
ip addr add dev eth0
ip addr add 2001:db8::1 dev eth0

The last two forms do not have a prefix length associated with the address, so it will simply just set the IP address specified as "local" and any other routes have to be added in manually, with ip route.

Setting up (static) routes

ip route add via dev eth0
ip route add via dev eth0
ip route add 2001:db8:100::/40 via fe80::2 dev eth0
ip route add ::/0 via fe80::1 dev eth0
ip route add via inet6 fe80::1 dev eth0

TODO: image showing router-to-router communication; two nodes can communicate with each other as long as each router in between including the nodes themselves have a route defined that encloses the other node's IP address, and which is directed correctly to the other node.

TODO: image showing differences between "access" and non-"access" subnets

Using iptables / firewall

Common use case: Simple stateful (connection tracking) firewall

Common use case: Internet connection sharing using the "nat" table

Less common use case: IPv6 many-to-smaller-many NAT

ip6tables -t nat -A POSTROUTING -s 2001:db8:1::/48 -o eth0 -j NETMAP --to 2001:db8:0:1:300::/72

See 300 IPv6 addresses.

Using bridges

Bridge devices allow you to connect multiple physical or logical devices together, as if by a layer 2 switch.

Use case: Preserve IP address even if USB NIC is removed

Network namespaces

Further information: Notes about namespaces#Network namespaces

Using macvlan/ipvlan/veth

VETH devices in layer 3 mode

veth devices are inherently layer 2, but they can be used in a layer-3 mode.

Use case: Multiple IP addresses on one machine, in a way that is transparent to the application

This is mostly useful if you want to run multiple instances of the same type of server on the same ports, but for whatever reason other programs (servers or non-servers) behave strangely if you have multiple IP addresses assigned to a particular network interface.

Use case: Managing the network subsystem without root access

This is mostly useful for self-contained networks that are only used within a single program or a set or bundle of programs.


IPv6 prefix delegation using isc-dhcp-client

You can write a custom script to do whatever you want once you receive an IPv6 prefix from your ISP or upstream DHCPv6 server. See safe-dhcp.

6in4 and WireGuard tunnels

Adding a list of allowed IPs to a client allows that client to receive packets destined for that prefix through the WireGuard tunnel, and allows the client to communicate back to the server using that prefix as a source IP address through that tunnel.

AllowedIPs is similar to the prefix delegation model shown to the right.

Use case: WireGuard with network namespaces

By putting the WireGuard interface in a different network namespace as the original namespace, the configuration for the WireGuard interface now becomes independent of the network configuration of the host. This is useful for some scenarios like avoiding IP conflicts, especially when using public WiFi.

Further information:

Policy-based routing

Policy-based routing allows alternative routing tables to be used based on packet criteria other than the destination IP address. For example, source IP address, firewall mark, or incoming interface.

It is generally true that for any given routing table, there is a local route for the device's own IP address, and routing table entries exist that cover all other IP addresses that are reachable using the routing table.

Use case: Multihomed network with provider-assigned IPv6 addresses

ARP and NDP proxying

ARP and NDP proxying allow you to claim a range of IP addresses to be routed to the system, on a network where that range is routed on-link. It is similar to the static route mesh, but the ranges must be within the link prefix. It can be used to create the equivalent of a static route mesh without requiring static route support on every device. However, claiming large ranges of IP addresses with ARP and NDP proxying can be inefficient, since ARP and NDP table entries have to be created for every single IP address within the range claimed; with applications that use many IPv6 addresses at once, such as IPv6 Things and Universal Relay, this can be very inefficient.

802.1Q VLANs

VLAN tagging allows you to multiplex multiple packet channels in a single interface. They can be divided into individual channels using a switch that supports VLANs. Linux also has a "vlan" device, which binds itself to an existing interface. If a VLAN tagged packet is received on the existing interface which matches the VLAN tag associated with the VLAN device, then that packet will be redirected to the VLAN device with the VLAN tag header removed. Conversely, packets sent out of the VLAN interface arrive on the existing interface with a VLAN tag added.

VLAN devices are regular Ethernet devices, so they can be attached to a bridge to make a VLAN-aware switch, so long as the existing device also supports adding itself to a bridge device.

Wi-Fi (802.11)