Hi network enthusiasts,

I'm working a project that requires two things:

- Being able to create pcap dump per PID
- Being able to force software to use a specific network card (while other are still used by other software)

Namespace seems to allow both. I'm able, using some tricks and scripts to create on the fly namespace on which I execute a given software and dump flow for the virtual NIC associated.

As for the second point, I'm currently doing more tests. My problem is that i need a software (openvpn in this case), to use a specific NIC. Openvpn seems not to have a native option for that. Forcing using route is not an option since the VPN endpoint will be given as a hostname rather an ip (mandatory).

Using namespace allows to restrict openvpn to only the good interface. However, after that, I tried to restrict the system (and other namespace) to enforce security.

While trying to update my knowledge on modern networking and using UFW instead of iptables, I went into a strange behavior.

I had to enable UFW for each namespace, but rules are "likely" shared: They are shown when asking for status. If I had a rule on system, it's shown on namespaces. And adding it on namespace make it visible from system.

But the rules are not correctly applied. In other word: Once the NIC is attached to my namespace (and not visible from system anymore), I can add rules but they wont work unless removed from where they were created (system or other namespace) and added from needed namespace.

On iptables, rules are not shared and you have to add create everything on each namespace.

As anyone notice such a thing?

(Tests made on up-to-date Archlinux).