.nh .TH SLIRP4NETNS 1 "July 2018" "Rootless Containers" "User Commands" .SH NAME .PP slirp4netns \- User\-mode networking for unprivileged network namespaces .SH SYNOPSIS .PP slirp4netns [OPTION]... PID TAPNAME .SH DESCRIPTION .PP slirp4netns provides user\-mode networking ("slirp") for network namespaces. .PP Unlike \fBveth\fP(4), slirp4netns does not require the root privileges on the host. .PP Default configuration: .RS .IP \(bu 2 Gateway: 10.0.2.2, fd00::2 .IP \(bu 2 DNS: 10.0.2.3, fd00::3 .IP \(bu 2 Host: 10.0.2.2, 10.0.2.3, fd00::2, fd00::3 .RE .SH OPTIONS .PP \fB\-c\fP, \fB\-\-configure\fP bring up the interface. IP will be set to 10.0.2.100. IPv6 will be set to a random address. .PP \fB\-e\fP, \fB\-\-exit\-fd=FD\fP specify the FD for terminating slirp4netns. .PP \fB\-r\fP, \fB\-\-ready\-fd=FD\fP specify the FD to write to when the network is configured. .PP \fB\-m\fP, \fB\-\-mtu=MTU\fP specify MTU (default=1500, max=65521). .PP \fB\-6\fP, \fB\-\-enable\-ipv6\fP enable IPv6 (experimental). .PP \fB\-h\fP, \fB\-\-help\fP show help and exit .PP \fB\-v\fP, \fB\-\-version\fP show version and exit .SH EXAMPLE .PP Terminal 1: Create user/network/mount namespaces .PP .RS .nf $ unshare \-\-user \-\-map\-root\-user \-\-net \-\-mount unshared$ echo $$ > /tmp/pid .fi .RE .PP Terminal 2: Start slirp4netns .PP .RS .nf $ slirp4netns \-\-configure \-\-mtu=65520 $(cat /tmp/pid) tap0 starting slirp, MTU=65520 ... .fi .RE .PP Terminal 1: Make sure \fBtap0\fP is configured and connected to the Internet .PP .RS .nf unshared$ ip a 1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 3: tap0: mtu 65520 qdisc fq\_codel state UNKNOWN group default qlen 1000 link/ether c2:28:0c:0e:29:06 brd ff:ff:ff:ff:ff:ff inet 10.0.2.100/24 brd 10.0.2.255 scope global tap0 valid\_lft forever preferred\_lft forever inet6 fe80::c028:cff:fe0e:2906/64 scope link valid\_lft forever preferred\_lft forever unshared$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf unshared$ mount \-\-bind /tmp/resolv.conf /etc/resolv.conf unshared$ curl https://example.com .fi .RE .PP Bind\-mounting \fB/etc/resolv.conf\fP is only needed when \fB/etc/resolv.conf\fP on the host refers to loopback addresses (\fB127.0.0.X\fP, typically because of \fBdnsmasq\fP(8) or \fBsystemd\-resolved.service\fP(8)) that cannot be accessed from the namespace. .PP If your \fB/etc/resolv.conf\fP on the host is managed by \fBnetworkmanager\fP(8) or \fBsystemd\-resolved.service\fP(8), you might need to mount a new filesystem on \fB/etc\fP instead, so as to prevent the new \fB/etc/resolv.conf\fP from being unmounted unexpectedly when \fB/etc/resolv.conf\fP on the host is regenerated. .PP .RS .nf unshared$ mkdir /tmp/a /tmp/b unshared$ mount \-\-rbind /etc /tmp/a unshared$ mount \-\-rbind /tmp/b /etc unshared$ mkdir /etc/.ro unshared$ mount \-\-move /tmp/a /etc/.ro unshared$ cd /etc unshared$ for f in .ro/*; do ln \-s $f $(basename $f); done unshared$ rm resolv.conf unshared$ echo "nameserver 10.0.2.3" > /tmp/resolv.conf unshared$ curl https://example.com .fi .RE .SH ROUTING PING PACKETS .PP To route ping packets, you need to set up \fBnet.ipv4.ping\_group\_range\fP properly as the root. .PP e.g. .PP .RS .nf $ sudo sh \-c "echo 0 2147483647 > /proc/sys/net/ipv4/ping\_group\_range" .fi .RE .SH SEE ALSO .PP \fBnetwork\_namespaces\fP(7), \fBuser\_namespaces\fP(7), \fBveth\fP(4) .SH AVAILABILITY .PP The slirp4netns command is available from \fBhttps://github.com/rootless\-containers/slirp4netns\fP under GNU GENERAL PUBLIC LICENSE Version 2.