I use libtins (It uses Pcap) to capture link layer packets and forward to a network namespace where the actual application runs on.
Client(Browser) -> Server -> Pcap -> Pcap Send -> br0 (Bridge) -> Namespace -> Application
Now, I see that the packets are forwarded and visible on Tcpdump snapshot but I don't see they are received by the application it-self, no signs of outgoing packets either.
It appear that the loopback interface in namespace haven't gotten packets either so looks like Kernel doesn't route the packets to loopback for some reason.
I believe the application by default listen to loopback interface, and based on my assumption it's where localhost runs on.
I've tried to bind the application into the veth0 network interface's IP in namespace but it didn't work either.
I am able ping any website inside network namespace.
Regarding Checksum, TCP Dump shows the packets has correct checksum
Here how I set up my network namespace,
sysctl -w net.ipv4.ip_forward=1 &&
sysctl -w net.ipv6.conf.all.forwarding=1 &&
ip netns add namespace1 &&
ip link add veth0 type veth peer name veth1 &&
ip link set veth0 netns namespace1 &&
ip netns exec namespace1 ip addr add 192.168.1.11/24 dev veth0 &&
ip link add name br0 type bridge &&
ip link set br0 up &&
ip link set veth1 up &&
ip netns exec namespace1 ip link set veth0 up &&
ip netns exec namespace1 ip link set lo up &&
ip link set veth1 master br0 &&
ip addr add 192.168.1.10/24 brd + dev br0 &&
ip -all netns exec ip route add default via 192.168.1.10 &&
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
Here an example of a packet captured by TCP Dump on network namespace,
16:50:11.742116 IP (tos 0x2a,ECT(0), ttl 115, id 8487, offset 0, flags [DF], proto TCP (6), length 52)
MYHOMEIP.51202 > SERVERIP.https: Flags [SEW], cksum 0x59a4 (correct), seq 332112346, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
Here is output of ss -lntp
on namespace,
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 *:443 *:* users:(("node",pid=30798,fd=20))
LISTEN 0 511 *:7000 *:* users:(("node",pid=30798,fd=19))
Looking at the output, I see Send Q is filled with 511 and I'm not sure what that means.
The answer below doesn't add anything new and it didn't fix my problem.
I would love to award a bounty but can't find the button.
Apparently, A similar question has been asked on this site years ago but no one succeeded providing working solution.