giuseppe / slirp-forwarder

Create a network namespace for rootless containers.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool


A tool to create a network namespace that targets rootless containers.

SliRP emulates in userspace a TCP/IP stack. It can be used to circument the limitation of creating TAP/TUN devices in the host namespace for an unprivileged user.

slirp-forwarder runs in the host network namespace without requiring root privileges or a suid program to configure the network. A TAP device is created inside a new network namespace. Data is shuttled from the TAP device to the SLiRP stack running outside.


I've stopped working on this project as I've found that @AkihiroSuda had already something similar so we joined our efforts in: slirp4netns


slirp-forwarder internally uses libslirp, it is required for the build.


slirp-forwarder creates a new network namespace, configures a tap device and keeps a reference to it in the specified.

$ slirp-forwarder /path/to/net

For unprivileged users, before using slirp-forwarder it is first necessary to run in a new user and mount namespace.

You can use the standard unshare(1) tool for doing it, or if you'd like to get more users mapped into the namespace, you can use become-root.

$ unshare -mr bash # start a new bash in a mount and user namespace
$ mount -t tmpfs tmpfs /var/run; mkdir -p /var/run/NetworkManager/
$ touch net; slirp-forwarder net & # keep a reference in the file net
$ nsenter --net=net dhclient -i tap0
$ nsenter --net=net route add default tap0
$ nsenter --net=net ifconfig -a
lo: flags=8<LOOPBACK>  mtu 65536
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tap0: flags=67<UP,BROADCAST,RUNNING>  mtu 1500
        inet  netmask  broadcast
        inet6 fe80::e00f:e4ff:fe83:29cc  prefixlen 64  scopeid 0x20<link>
        ether e2:0f:e4:83:29:cc  txqueuelen 1000  (Ethernet)
        RX packets 2  bytes 724 (724.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9  bytes 942 (942.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
$ nsenter --net=net wget -O-


After you have installed libslirp:

$ ./ && ./configure && make


Consider the slirp implementation in QEMU.


Create a network namespace for rootless containers.

License:GNU General Public License v3.0


Language:C 95.7%Language:M4 3.3%Language:Makefile 0.7%Language:Shell 0.2%