netns: remove addresses from loopback device

2025-07-07 20:19:00 +00:00
parent 48bd6d304f
commit cf38651e8d
1 changed files with 11 additions and 1 deletions
--- a/modules/netns.nix
+++ b/modules/netns.nix
@@ -87,6 +87,10 @@ let
        "${ip} netns delete ${name}"
      ];
    };
+    # loopback is tricky:
+    # - we _don't_ want a 127.0.0.1 address, in order that we can forward DNS queries to the outer NS.
+    # - we _do_ want a `lo` device, as local communications within the netns will use it as source:
+    #   - e.g. `ip route get 10.0.1.6` will show `dev lo` even if `lo` is down.
    systemd.services."netns-${name}-lo" = {
      description = "bring loopback device online in '${name}' network namespace";
      wantedBy = [ "netns-${name}.target" ];
@@ -96,7 +100,13 @@ let
      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = true;
      serviceConfig.NetworkNamespacePath = "/run/netns/${name}";
-      serviceConfig.ExecStart = "${ip} link set lo up";
+      script = ''
+        ${ip} link set lo up
+        # N.B.: these addresses are implicitly assigned when the interface transitions down -> up.
+        # so unfortunately, we have a blip here where the addresses are briefly assigned, then removed.
+        ${ip} addr del 127.0.0.1/8 dev lo || echo "lo IPv4 address already removed"
+        ${ip} addr del ::1/128 dev lo || echo "lo IPv6 address already removed"
+      '';
      serviceConfig.ExecStop = "${ip} link set lo down";
    };
    systemd.services."netns-${name}-veth" = {