MAJOR: namespace: add Linux network namespace support
This patch makes it possible to create binds and servers in separate
namespaces. This can be used to proxy between multiple completely independent
virtual networks (with possibly overlapping IP addresses) and a
non-namespace-aware proxy implementation that supports the proxy protocol (v2).
The setup is something like this:
net1 on VLAN 1 (namespace 1) -\
net2 on VLAN 2 (namespace 2) -- haproxy ==== proxy (namespace 0)
net3 on VLAN 3 (namespace 3) -/
The proxy is configured to make server connections through haproxy and sending
the expected source/target addresses to haproxy using the proxy protocol.
The network namespace setup on the haproxy node is something like this:
= 8< =
$ cat setup.sh
ip netns add 1
ip link add link eth1 type vlan id 1
ip link set eth1.1 netns 1
ip netns exec 1 ip addr add 192.168.91.2/24 dev eth1.1
ip netns exec 1 ip link set eth1.$id up
...
= 8< =
= 8< =
$ cat haproxy.cfg
frontend clients
bind 127.0.0.1:50022 namespace 1 transparent
default_backend scb
backend server
mode tcp
server server1 192.168.122.4:2222 namespace 2 send-proxy-v2
= 8< =
A bind line creates the listener in the specified namespace, and connections
originating from that listener also have their network namespace set to
that of the listener.
A server line either forces the connection to be made in a specified
namespace or may use the namespace from the client-side connection if that
was set.
For more documentation please read the documentation included in the patch
itself.
Signed-off-by: KOVACS Tamas <ktamas@balabit.com>
Signed-off-by: Sarkozi Laszlo <laszlo.sarkozi@balabit.com>
Signed-off-by: KOVACS Krisztian <hidden@balabit.com>
diff --git a/include/types/connection.h b/include/types/connection.h
index b317007..4c61096 100644
--- a/include/types/connection.h
+++ b/include/types/connection.h
@@ -261,6 +261,7 @@
} sock;
} t;
enum obj_type *target; /* the target to connect to (server, proxy, applet, ...) */
+ const struct netns_entry *proxy_netns;
struct {
struct sockaddr_storage from; /* client address, or address to spoof when connecting to the server */
struct sockaddr_storage to; /* address reached by the client, or address to connect to */
@@ -330,7 +331,9 @@
#define PP2_TYPE_SSL 0x20
#define PP2_TYPE_SSL_VERSION 0x21
#define PP2_TYPE_SSL_CN 0x22
+#define PP2_TYPE_NETNS 0x30
+#define TLV_HEADER_SIZE 3
struct tlv {
uint8_t type;
uint8_t length_hi;
diff --git a/include/types/listener.h b/include/types/listener.h
index 83b63af..725808b 100644
--- a/include/types/listener.h
+++ b/include/types/listener.h
@@ -177,6 +177,8 @@
int maxseg; /* for TCP, advertised MSS */
char *interface; /* interface name or NULL */
+ const struct netns_entry *netns; /* network namespace of the listener*/
+
struct list by_fe; /* chaining in frontend's list of listeners */
struct list by_bind; /* chaining in bind_conf's list of listeners */
struct bind_conf *bind_conf; /* "bind" line settings, include SSL settings among other things */
diff --git a/include/types/server.h b/include/types/server.h
index 5798fab..4847def 100644
--- a/include/types/server.h
+++ b/include/types/server.h
@@ -85,6 +85,7 @@
#define SRV_F_BACKUP 0x0001 /* this server is a backup server */
#define SRV_F_MAPPORTS 0x0002 /* this server uses mapped ports */
#define SRV_F_NON_STICK 0x0004 /* never add connections allocated to this server to a stick table */
+#define SRV_F_USE_NS_FROM_PP 0x0008 /* use namespace associated with connection if present */
/* configured server options for send-proxy (server->pp_opts) */
#define SRV_PP_V1 0x0001 /* proxy protocol version 1 */
@@ -191,6 +192,7 @@
unsigned lb_nodes_now; /* number of lb_nodes placed in the tree (C-HASH) */
struct tree_occ *lb_nodes; /* lb_nodes_tot * struct tree_occ */
+ const struct netns_entry *netns; /* contains network namespace name or NULL. Network namespace comes from configuration */
/* warning, these structs are huge, keep them at the bottom */
struct sockaddr_storage addr; /* the address to connect to */
struct protocol *proto; /* server address protocol */