doc/network-namespaces.txt - haproxy - Gitiles

 Linux network namespace support for HAProxy
 ===========================================

 HAProxy supports proxying between Linux network namespaces. This
 feature can be used, for example, in a multi-tenant networking
 environment to proxy between different networks. HAProxy can also act
 as a front-end proxy for non namespace-aware services.

 The proxy protocol has been extended to support transferring the
 namespace information, so the originating namespace information can be
 kept. This is useful when chaining multiple proxies and services.

 To enable Linux namespace support, compile HAProxy with the `USE_NS=1`
 make option.


 ## Setting up namespaces on Linux

 To create network namespaces, use the 'ip netns' command. See the
 manual page ip-netns(8) for details.

 Make sure that the file descriptors representing the network namespace
 are located under `/var/run/netns`.

 For example, you can create a network namespace and assign one of the
 networking interfaces to the new namespace:

 ```
 $ ip netns add netns1
 $ ip link set eth7 netns netns1
 ```


 ## Listing namespaces in the configuration file

 HAProxy uses namespaces explicitly listed in its configuration file.
 If you are not using namespace information received through the proxy
 protocol, this usually means that you must specify namespaces for
 listeners and servers in the configuration file with the 'namespace'
 keyword.

 However, if you're using the namespace information received through
 the proxy protocol to determine the namespace of servers (see
 'namespace * below'), you have to explicitly list all allowed
 namespaces in the namespace_list section of your configuration file:

 ```
 namespace_list
     namespace netns1
     namespace netns2
 ```


 ## Namespace information flow

 The haproxy process always runs in the namespace it was started on.
 This is the default namespace.

 The bind addresses of listeners can have their namespace specified in
 the configuration file. Unless specified, sockets associated with
 listener bind addresses are created in the default namespace. For
 example, this creates a listener in the netns2 namespace:

 ```
 frontend f_example
 	bind 192.168.1.1:80 namespace netns2
 	default_backend http
 ```

 Each client connection is associated with its source namespace. By
 default, this is the namespace of the bind socket it arrived on, but
 can be overridden by information received through the proxy protocol.
 Proxy protocol v2 supports transferring namespace information, so if
 it is enabled for the listener, it can override the associated
 namespace of the connection.

 Servers can have their namespaces specified in the configuration file
 with the 'namespace' keyword:

 ```
 backend b_example
 	server s1 192.168.1.100:80 namespace netns2
 ```

 If no namespace is set for a server, it is assumed that it is in the
 default namespace. When specified, outbound sockets to the server are
 created in the network namespace configured. To create the outbound
 (server) connection in the namespace associated with the client, use
 the '*' namespace. This is especially useful when using the
 destination address and namespace received from the proxy protocol.

 ```
 frontend f_example
 	bind 192.168.1.1:9990 accept-proxy
 	default_backend b_example

 backend b_example
 	mode tcp
 	source 0.0.0.0 usesrc clientip
 	server snodes * namespace *
 ```

 If HAProxy is configured to send proxy protocol v2 headers to the
 server, the outgoing header will always contain the namespace
 associated with the client connection, not the namespace configured
 for the server.
	Linux network namespace support for HAProxy
	===========================================

	HAProxy supports proxying between Linux network namespaces. This
	feature can be used, for example, in a multi-tenant networking
	environment to proxy between different networks. HAProxy can also act
	as a front-end proxy for non namespace-aware services.

	The proxy protocol has been extended to support transferring the
	namespace information, so the originating namespace information can be
	kept. This is useful when chaining multiple proxies and services.

	To enable Linux namespace support, compile HAProxy with the `USE_NS=1`
	make option.


	## Setting up namespaces on Linux

	To create network namespaces, use the 'ip netns' command. See the
	manual page ip-netns(8) for details.

	Make sure that the file descriptors representing the network namespace
	are located under `/var/run/netns`.

	For example, you can create a network namespace and assign one of the
	networking interfaces to the new namespace:

	```
	$ ip netns add netns1
	$ ip link set eth7 netns netns1
	```


	## Listing namespaces in the configuration file

	HAProxy uses namespaces explicitly listed in its configuration file.
	If you are not using namespace information received through the proxy
	protocol, this usually means that you must specify namespaces for
	listeners and servers in the configuration file with the 'namespace'
	keyword.

	However, if you're using the namespace information received through
	the proxy protocol to determine the namespace of servers (see
	'namespace * below'), you have to explicitly list all allowed
	namespaces in the namespace_list section of your configuration file:

	```
	namespace_list
	namespace netns1
	namespace netns2
	```


	## Namespace information flow

	The haproxy process always runs in the namespace it was started on.
	This is the default namespace.

	The bind addresses of listeners can have their namespace specified in
	the configuration file. Unless specified, sockets associated with
	listener bind addresses are created in the default namespace. For
	example, this creates a listener in the netns2 namespace:

	```
	frontend f_example
	bind 192.168.1.1:80 namespace netns2
	default_backend http
	```

	Each client connection is associated with its source namespace. By
	default, this is the namespace of the bind socket it arrived on, but
	can be overridden by information received through the proxy protocol.
	Proxy protocol v2 supports transferring namespace information, so if
	it is enabled for the listener, it can override the associated
	namespace of the connection.

	Servers can have their namespaces specified in the configuration file
	with the 'namespace' keyword:

	```
	backend b_example
	server s1 192.168.1.100:80 namespace netns2
	```

	If no namespace is set for a server, it is assumed that it is in the
	default namespace. When specified, outbound sockets to the server are
	created in the network namespace configured. To create the outbound
	(server) connection in the namespace associated with the client, use
	the '*' namespace. This is especially useful when using the
	destination address and namespace received from the proxy protocol.

	```
	frontend f_example
	bind 192.168.1.1:9990 accept-proxy
	default_backend b_example

	backend b_example
	mode tcp
	source 0.0.0.0 usesrc clientip
	server snodes * namespace *
	```

	If HAProxy is configured to send proxy protocol v2 headers to the
	server, the outgoing header will always contain the namespace
	associated with the client connection, not the namespace configured
	for the server.