How Docker Leverages Linux Namespaces, Bridges, and Veth Pairs for Container Networking

Docker's networking depends on Linux kernel virtualization technologies, using Network Namespace, bridge devices, Veth pairs, iptables/netfilter, and routing.

Network Namespace

To support multiple instances of the network protocol stack, Linux introduces Network Namespace, isolating independent protocol stacks in separate namespaces that cannot communicate with each other. The kernel makes global network variables namespace‑specific, allowing applications to use namespaces transparently.

When a new Network Namespace is created and a process is attached, all network stack variables are stored in a data structure private to that namespace.

Docker uses Network Namespace to isolate container networks. If a container is run with the host network stack (e.g., docker run -d --net=host --name c_name i_name), it shares the host's ports, which can cause conflicts. docker run -d --net=host --name c_name i_name Typically containers have their own IP and ports via Network Namespace, raising the question of how isolated containers communicate.

Bridge

Linux bridges act like data‑link‑layer devices, forwarding frames based on MAC addresses. Docker creates a default bridge (docker0) on the host; any interface connected to docker0 can communicate through it.

Bridge Details

A bridge connects multiple network interfaces, learns source MAC addresses, and forwards frames to the appropriate port. Unknown destinations are broadcast to all ports except the source.

Bridges maintain a MAC address table with a timeout (default 5 minutes). If a device moves ports without sending traffic, the bridge may still forward to the old port until the entry expires.

Linux implements bridges as virtual net devices that can have an IP address, acting as a layer‑2 (or sometimes layer‑3) device.

Linux Bridge Implementation

The Linux kernel provides a virtual bridge device (Net Device) that can bind multiple Ethernet interfaces. Upper‑layer protocols see only the bridge (e.g., br0), while the bridge forwards frames to the appropriate physical interfaces.

Common Bridge Operations

Docker automatically creates and manages the bridge, but you can manually manipulate it: brctl addbr br0 Add an interface to the bridge: brctl addif br0 eth0 Configure an IP address for the bridge:

ip addr add 192.168.1.1/24 dev br0

Veth Pair

Veth pairs consist of two virtual Ethernet interfaces that appear as peers. Packets sent on one appear on the other, even if they reside in different Network Namespaces, effectively acting as a virtual cable between namespaces.

Veth Pair Commands

Create a Veth pair: ip link add veth0 type veth peer name veth1 Show Veth interfaces: ip link show Move one peer to another namespace: ip link set veth1 netns netns1 Assign IP addresses inside the namespaces:

ip netns exec netns1 ip addr add 10.1.1.1/24 dev veth1
ip addr add 10.1.1.2/24 dev veth0

Bring the interfaces up:

ip netns exec netns1 ip link set veth1 up
ip link set veth0 up

Test connectivity:

ip netns exec netns1 ping 10.1.1.2

Iptables/Netfilter

Linux provides Netfilter hooks in the kernel for packet processing. Iptables runs in user space to manage Netfilter rule tables (RAW, MANGLE, NAT, FILTER), allowing filtering, modification, or dropping of packets.

Route

Linux maintains routing tables to decide where to forward IP packets. The kernel uses the LOCAL and MAIN tables; LOCAL handles local address recognition, while MAIN handles general IP forwarding. Commands to view tables include:

ip route show table local type local
ip route list

Summary

The article covered Docker's fundamental networking components: Network Namespace, Bridge, Veth Pair, iptables/netfilter, and routing tables, laying the groundwork for deeper exploration of Docker container networking implementation.