| That depends on how you set it up, it doesn't have to bypass the "main host" firewall. Consider the following example: 0. If you set up no additional network namespaces, there is still one present, this is called the "default" or "root" network namespace. It is what you refered to as "main host". 1. Say the default net ns has device eth0 that your server receives traffic on. 2. You create a veth pair in the default net ns, veth0 and veth1. 3. You create a new net ns and move veth1 into new net ns. Only veth0 and eth0 remain in default net ns. 4. You set up routes and nftable rules in default net ns as you would normally. Certain traffic you want to route to your new net is so you have a next hop veth0 (note, you ha e to route through to the IP of veth1, using veth0 as next hop) 5. You set up additional nftable rules and whatever you want in the new net ns and this is isolated from default net ns. End-to-end flow: packet arrives on eth0, traverses netfilter (nftables/iptables) and route lookup to route to "new network" via veth0. Packet is sent "out" the default net stack via veth0 and arrives on veth1 (since they are a pair) in new net ns network stack. There, the packet traverses an isolated netfilter and routing table and a socket can be listening for your service or whatever. Replies would follow the same in reverse. Sent out veth1 in new net ns, arrive on veth0 in default net ns, and exit that stack via eth0 |
The fact that local users can simply create namespaces that bypass the host's firewall is extremely dangerous in my opinion.