Is it valid to use macvlan on dummy interface

TrevorT

4/7/24, 11:08 AM

Is it valid to setup the container network in this way:

Create a dummy interface on the host
```
ip link add du0 type dummy
```
Created two containers using systemd-nspawn, each have a macvlan interface bind to that dummy interface

/etc/systemd/nspawn/proxy.nspawn and /etc/systemd/nspawn/apps.nspawn
```
[Network]
VirtualEthernet=no
MACVLAN=du0
```

I can't find any similar example on the Internet, I would like to know if it is good the use macvlan like that, or if there is a better method to achieve my goal.

My goal is to create a container that runs forward and reverse proxy. It will have multiple forward proxies that use different VPN interfaces to connect to different countries or use the physical interface directly. And all other containers will connect to that proxy container, each app will choose the appropriate proxy to use.

To connect those containers, systemd-nspawn support multiple options. I would like to use macvlan because it seems to be the most lightweight (best performance) among all options. But I want to ensure that the container cannot connect to the Internet directly, instead it must use the proxy container. I don't want to bind the macvlan interface to the physical interface. So I created a dummy interface on the host, and bind the macvlan interface to that dummy interface. I just tested it and it works, the container can ping each other.

213

1 + 3

linux-networking

containers

larsks

4/7/24, 4:01 PM

This seems like a really odd way to go about things. If you want to connect multiple containers on a "private network", just attach them all to the same bridge device (using `--network-veth` and `--network-bridge`).

A.B

4/7/24, 4:04 PM

There's also a "all-in-one" [`--network-zone`](https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html#--network-zone=) which appears interesting.

TrevorT

4/7/24, 6:51 PM

Some information on the Internet said that the macvlan have better performance than standard Linux bridge. The network-zone options is still standard Linux bridge. I just did a few tests on inter-container network speed with iperf3, the difference is very small but I can see the difference: ipvlan on dummy > macvlan on dummy > standard Linux bridge > host ipv4 routing

Score:0

Server

TrevorT

4/10/24, 2:03 PM

Answer my own question. It is valid. Docker is doing it on ipvlan. https://docs.docker.com/network/ipvlan/#prerequisites

If the parent interface is not specified or the --internal flag is used, a netlink type dummy parent interface is created for the user and used as the parent interface effectively isolating the network completely.

More information about macvlan vs ipvlan. macvlan should be faster if the interface support more than one mac address. On dummy interface or Raspberry Pi, the interface enter promiscuous mode with just one macvlan interface, so it is better to use ipvlan in these scenario.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Is it valid to use macvlan on dummy interface

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.