网络命名空间中跨namespace ping 192.168.3.1失败的问题排查求助

阿华AIGC实验室

2026-4-21

我正在学习网络命名空间，跟着一篇Docker相关的教程搭建测试环境。我创建了名为test的命名空间，把veth-b网卡移到这个namespace里后，却没法ping通192.168.3.1（不过ping宿主机的192.168.2.1是完全正常的）。看两个网卡的状态都是UP的，有没有大佬能帮忙分析下可能哪里出问题了？

操作步骤与接口信息

首先我创建了veth虚拟网卡对：

sudo ip link add veth-a type veth peer name veth-b

宿主机上执行ifconfig -a的相关输出：

veth-a: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 192.168.2.1  netmask 255.255.255.0  broadcast 0.0.0.0
inet6 fe80::f057:76ff:fec4:5104  prefixlen 64  scopeid 0x20<link>
ether f2:57:76:c4:51:04  txqueuelen 1000  (Ethernet)
RX packets 12  bytes 936 (936.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 55  bytes 8117 (7.9 KiB)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

进入test命名空间后执行ifconfig -a的输出：

$ sudo ip netns exec test ifconfig -a

lo: flags=8<LOOPBACK>  mtu 65536
loop  txqueuelen 1000  (Local Loopback)
RX packets 0  bytes 0 (0.0 B)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 0  bytes 0 (0.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth-b: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
inet 192.168.3.1  netmask 255.255.255.0  broadcast 0.0.0.0
inet6 fe80::58b9:ff:fecc:6fb5  prefixlen 64  scopeid 0x20<link>
ether 5a:b9:00:cc:6f:b5  txqueuelen 1000  (Ethernet)
RX packets 58  bytes 8762 (8.5 KiB)
RX errors 0  dropped 0  overruns 0  frame 0
TX packets 12  bytes 936 (936.0 B)
TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Ping测试结果

失败的ping（宿主机ping 192.168.3.1）：

$ ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
^C
--- 192.168.3.1 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2074ms

成功的ping（宿主机ping自身veth-a地址）：

$ ping 192.168.2.1
PING 192.168.2.1 (192.168.2.1) 56(84) bytes of data.
64 bytes from 192.168.2.1: icmp_seq=1 ttl=64 time=0.053 ms
64 bytes from 192.168.2.1: icmp_seq=2 ttl=64 time=0.043 ms
64 bytes from 192.168.2.1: icmp_seq=3 ttl=64 time=0.041 ms
64 bytes from 192.168.2.1: icmp_seq=4 ttl=64 time=0.049 ms
^C64 bytes from 192.168.2.1: icmp_seq=5 ttl=64 time=0.070 ms

宿主机路由表

$ ip route
default via 192.168.1.1 dev wlp4s0 proto dhcp src 192.168.1.138 metric 600
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
192.168.1.0/24 dev wlp4s0 proto kernel scope link src 192.168.1.138 metric 600
192.168.2.0/24 dev veth-a proto kernel scope link src 192.168.2.1
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1 linkdown

我尝试添加过路由：

sudo ip route add 192.168.3.0/24 dev veth-a

但问题依然存在。

更新：启动命名空间内的lo接口后

我把test命名空间里的lo接口启动了，但现在ping 192.168.3.1时出现了新的错误，提示192.168.2.1不可达？有点搞不懂，难道教程里要求启动lo接口的步骤真的这么关键吗？毕竟我ping的不是lo地址啊。

$ ping 192.168.3.1
PING 192.168.3.1 (192.168.3.1) 56(84) bytes of data.
From 192.168.2.1 icmp_seq=1 Destination Host Unreachable
From 192.168.2.1 icmp_seq=2 Destination Host Unreachable
From 192.168.2.1 icmp_seq=3 Destination Host Unreachable
From 192.168.2.1 icmp_seq=4 Destination Host Unreachable
From 192.168.2.1 icmp_seq=5 Destination Host Unreachable
From 192.168.2.1 icmp_seq=6 Destination Host Unreachable

备注：内容来源于stack exchange，提问作者user1234234