-
Notifications
You must be signed in to change notification settings - Fork 744
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proxy between Network Namespaces #486
Comments
Is it enough to implement a setns path [flags] config command? (3proxy guarantees the order of config commands execution) |
Or clone() support is also required? Can you describe a complete usecase with namespace creation? |
Maybe a new My usecase is proxying to a vpn interface that is opened inside a network namespace, see https://www.wireguard.com/netns/ The other possible usecase is to proxy between a host and a virtual machine that is running inside a container. |
Does it verify the existence of external address and interface (options |
3proxy reopens listening sockets only on configuration reload (in the case of the failure it performs repeating attempts to listen()). External address is not used before client request is received. See |
nope. I think this approach does not work, because setns() sets a namespace for the current thread and calling it on config affects a main thread, while proxying between namespaces probably requires ns to be set in a proxy thread. Probably, for this to work setting namespace should be an option for the service (like 'socks' or 'proxy') rather than config option to achieve this task. also, currently I don't understand, if it can be usefull for a proxy thread to have ability to set a ns before opening the socket and after opening socket, or first case is never required. I'm not sure with chroot() either and if chroot works with threads in different namespaces. |
Oh.. threads. Yes it should be called inside the thread then.
The original proxy namespace can always be set running 3proxy with I am also thinking about socks UDP ASSOCIATE request type, it can be broken by this. If I recall correctly this request type requires server to open a new UDP socket on a listening interface. |
HAProxy already implemented support for network namespaces: https://fossies.org/linux/haproxy/doc/network-namespaces.txt But it requires root privileges. |
Please consider implement proxying between network namespaces. Despite broad info that process can only have sockets in one network namespace actually it can have opened sockets in multiple namespaces. All the opened sockets aren't affected by a
setns
system call. A socket is a network device with associated network namespace and new accepted connections are also belongs to the original socket namespace.So the procedure is:
Create a listen proxy socket
Call
setns()
function and move the process into a new namespaceDo chroot and other privilege deescalation stuff
Do the main proxy loop as usual, accept connections on original socket and make new connections in the new network namespace
I don't know how to arrange this with a complex configs of multiple proxy interfaces but it is possible to make a simple proxy between namespaces this way without the performance overhead and setup pain associated with virtual
veth
interfaces between namespaces.The text was updated successfully, but these errors were encountered: