Proxy between Network Namespaces

[VasiliPupkin256]

Please consider implement proxying between network namespaces. Despite broad info that process can only have sockets in one network namespace actually it can have opened sockets in multiple namespaces. All the opened sockets aren't affected by a setns system call. A socket is a network device with associated network namespace and new accepted connections are also belongs to the original socket namespace.

So the procedure is:

• Create a listen proxy socket

• Call setns() function and move the process into a new namespace

• Do chroot and other privilege deescalation stuff

• Do the main proxy loop as usual, accept connections on original socket and make new connections in the new network namespace

I don't know how to arrange this with a complex configs of multiple proxy interfaces but it is possible to make a simple proxy between namespaces this way without the performance overhead and setup pain associated with virtual veth interfaces between namespaces.

[z3APA3A]

Is it enough to implement a

setns path [flags]

config command? (3proxy guarantees the order of config commands execution)

[z3APA3A]

Or clone() support is also required? Can you describe a complete usecase with namespace creation?

[VasiliPupkin256]

Maybe a new setns path command would be enough... Does 3proxy reopen listen connection? What about outgoing DNS requests?

My usecase is proxying to a vpn interface that is opened inside a network namespace, see https://www.wireguard.com/netns/

The other possible usecase is to proxy between a host and a virtual machine that is running inside a container.

[VasiliPupkin256]

Does it verify the existence of external address and interface (options -e and -De) when it starts a proxy but no connections were made yet? This address and interface may not be reachable in original namespace before the setns call.

[z3APA3A]

3proxy reopens listening sockets only on configuration reload (in the case of the failure it performs repeating attempts to listen()). External address is not used before client request is received. See
https://3proxy.ru/faqr.asp#INTEXT
https://3proxy.ru/faqe.asp#INTEXT

[z3APA3A]

Create a listen proxy socket

Call setns() function and move the process into a new namespace

Do chroot and other privilege deescalation stuff

nope. I think this approach does not work, because setns() sets a namespace for the current thread and calling it on config affects a main thread, while proxying between namespaces probably requires ns to be set in a proxy thread. Probably, for this to work setting namespace should be an option for the service (like 'socks' or 'proxy') rather than config option to achieve this task.

also, currently I don't understand, if it can be usefull for a proxy thread to have ability to set a ns before opening the socket and after opening socket, or first case is never required.

I'm not sure with chroot() either and if chroot works with threads in different namespaces.

[VasiliPupkin256]

Oh.. threads. Yes it should be called inside the thread then.

if it can be usefull for a proxy thread to have ability to set a ns before opening the socket

The original proxy namespace can always be set running 3proxy with ip netns exec ... command for example. but it can be implemented though the config for simplicity, setns can be called multiple times. Why not

I am also thinking about socks UDP ASSOCIATE request type, it can be broken by this. If I recall correctly this request type requires server to open a new UDP socket on a listening interface.

[phantomcraft]

HAProxy already implemented support for network namespaces: https://fossies.org/linux/haproxy/doc/network-namespaces.txt

But it requires root privileges.