Linux Networking Primitives
Adding IPv4/IPv6 addresses to interfaces
ip addr add 192.0.2.1/24 dev eth0 ip addr add 2001:db8::1/64 dev eth0 ip addr add 192.0.2.1 dev eth0 ip addr add 2001:db8::1 dev eth0
The last two forms do not have a prefix length associated with the address, so it will simply just set the IP address specified as "local" and any other routes have to be added in manually, with
Setting up (static) routes
ip route add 192.168.2.0/24 via 192.168.1.2 dev eth0 ip route add 0.0.0.0/0 via 192.168.1.1 dev eth0 ip route add 2001:db8:100::/40 via fe80::2 dev eth0 ip route add ::/0 via fe80::1 dev eth0 ip route add 0.0.0.0/0 via inet6 fe80::1 dev eth0
TODO: image showing router-to-router communication; two nodes can communicate with each other as long as each router in between including the nodes themselves have a route defined that encloses the other node's IP address, and which is directed correctly to the other node.
TODO: image showing differences between "access" and non-"access" subnets
Using iptables / firewall
Common use case: Simple stateful (connection tracking) firewall
Common use case: Internet connection sharing using the "nat" table
Less common use case: IPv6 many-to-smaller-many NAT
ip6tables -t nat -A POSTROUTING -s 2001:db8:1::/48 -o eth0 -j NETMAP --to 2001:db8:0:1:300::/72
See 300 IPv6 addresses.
Bridge devices allow you to connect multiple physical or logical devices together, as if by a layer 2 switch.
Use case: Preserve IP address even if USB NIC is removed
- Further information: Notes about namespaces#Network namespaces
VETH devices in layer 3 mode
veth devices are inherently layer 2, but they can be used in a layer-3 mode.
Use case: Multiple IP addresses on one machine, in a way that is transparent to the application
This is mostly useful if you want to run multiple instances of the same type of server on the same ports, but for whatever reason other programs (servers or non-servers) behave strangely if you have multiple IP addresses assigned to a particular network interface.
Use case: Managing the network subsystem without root access
This is mostly useful for self-contained networks that are only used within a single program or a set or bundle of programs.
IPv6 prefix delegation using isc-dhcp-client
You can write a custom script to do whatever you want once you receive an IPv6 prefix from your ISP or upstream DHCPv6 server. See safe-dhcp.
6in4 and WireGuard tunnels
AllowedIPs is similar to the prefix delegation model shown to the right.
Use case: WireGuard with network namespaces
By putting the WireGuard interface in a different network namespace as the original namespace, the configuration for the WireGuard interface now becomes independent of the network configuration of the host. This is useful for some scenarios like avoiding IP conflicts, especially when using public WiFi.
- Further information: https://www.wireguard.com/netns
Policy-based routing allows alternative routing tables to be used based on packet criteria other than the destination IP address. For example, source IP address, firewall mark, or incoming interface.
It is generally true that for any given routing table, there is a local route for the device's own IP address, and routing table entries exist that cover all other IP addresses that are reachable using the routing table.
Use case: Multihomed network with provider-assigned IPv6 addresses
ARP and NDP proxying
ARP and NDP proxying allow you to claim a range of IP addresses to be routed to the system, on a network where that range is routed on-link. It is similar to the static route mesh, but the ranges must be within the link prefix. It can be used to create the equivalent of a static route mesh without requiring static route support on every device. However, claiming large ranges of IP addresses with ARP and NDP proxying can be inefficient, since ARP and NDP table entries have to be created for every single IP address within the range claimed; with applications that use many IPv6 addresses at once, such as IPv6 Things and Universal Relay, this can be very inefficient.
VLAN tagging allows you to multiplex multiple packet channels in a single interface. They can be divided into individual channels using a switch that supports VLANs. Linux also has a "vlan" device, which binds itself to an existing interface. If a VLAN tagged packet is received on the existing interface which matches the VLAN tag associated with the VLAN device, then that packet will be redirected to the VLAN device with the VLAN tag header removed. Conversely, packets sent out of the VLAN interface arrive on the existing interface with a VLAN tag added.
VLAN devices are regular Ethernet devices, so they can be attached to a bridge to make a VLAN-aware switch, so long as the existing device also supports adding itself to a bridge device.