We had a similar requirement. We developed a patch (on 1.8.3) that allows the Proxy Protocol TLV PP2_TYPE_NETNS to be configured as part of a bind with a âsend_netns <netns>â, e.g.:
frontend cfe
bind 192.168.1.20:3128 send_netns 1
mode tcp
See below an example capture of the Proxy Protocol v2 with PP2_TYPE_NETSN set using send_netns 1:
[cid:***@01D3AEFA.6BB509C0]
We decided to re-use PP2_TYPE_NETNS as it served our purpose reasonable well noting that <netns> is a string.
Below is the 1.8.3 patch. If there is general interest, happy to create a patch according to guidelines in âHOW TO GET YOUR CODE ACCEPTED IN HAPROXYâ and submit to the maintainers.
+++ connection.h 2018-01-12 12:35:38.000000000 +0000
@@ -388,6 +388,7 @@
int (*xprt_done_cb)(struct connection *conn); /* callback to notify of end of handshake */
void (*destroy_cb)(struct connection *conn); /* callback to notify of imminent death of the connection */
const struct netns_entry *proxy_netns;
+ char *send_netns; /* copied from listen */
struct {
struct sockaddr_storage from; /* client address, or address to spoof when connecting to the server */
struct sockaddr_storage to; /* address reached by the client, or address to connect to */
--- ../../../haproxy-1.8.3/include/types/listener.h 2017-12-30 17:13:19.000000000 +0000
+++ listener.h 2018-01-12 12:27:22.000000000 +0000
@@ -206,6 +206,7 @@
__decl_hathreads(HA_SPINLOCK_T lock);
const struct netns_entry *netns; /* network namespace of the listener*/
+ char *send_netns; /* value for PP2_TYPE_NETNS */
struct list by_fe; /* chaining in frontend's list of listeners */
struct list by_bind; /* chaining in bind_conf's list of listeners */
--- ../../haproxy-1.8.3/src/connection.c 2017-12-30 17:13:19.000000000 +0000
+++ connection.c 2018-01-12 12:58:38.000000000 +0000
@@ -1083,6 +1083,11 @@
ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_NETNS, remote->proxy_netns->name_len, remote->proxy_netns->node.key);
}
#endif
+ if (remote && (remote->send_netns)) {
+ if ((buf_len - ret) < sizeof(struct tlv))
+ return 0;
+ ret += make_tlv(&buf[ret], (buf_len - ret), PP2_TYPE_NETNS, strlen(remote->send_netns), remote->send_netns);
+ }
hdr->len = htons((uint16_t)(ret - PP2_HEADER_LEN));
--- ../../haproxy-1.8.3-casquette/src/proto_tcp.c 2017-12-30 17:13:19.000000000 +0000
+++ proto_tcp.c 2018-01-12 12:31:29.000000000 +0000
@@ -1906,6 +1906,24 @@
}
#endif
+/* parse the "send_netns" bind keyword */
+static int bind_parse_send_netns(char **args, int cur_arg, struct proxy *px, struct bind_conf *conf, char **err)
+{
+ struct listener *l;
+ char *netns = NULL;
+
+ if (!*args[cur_arg + 1]) {
+ memprintf(err, "'%s' : missing namespace id", args[cur_arg]);
+ return ERR_ALERT | ERR_FATAL;
+ }
+ netns = args[cur_arg + 1];
+
+ list_for_each_entry(l, &conf->listeners, by_bind) {
+ l->send_netns = strdup(netns);
+ }
+ return 0;
+}
+
#ifdef TCP_USER_TIMEOUT
/* parse the "tcp-ut" server keyword */
static int srv_parse_tcp_ut(char **args, int *cur_arg, struct proxy *px, struct server *newsrv, char **err)
@@ -1996,6 +2014,7 @@
#ifdef CONFIG_HAP_NS
{ "namespace", bind_parse_namespace, 1 },
#endif
+ { "send_netns", bind_parse_send_netns, 1 }, /* PP2_TYPE_NETNS */
/* the versions with the NULL parse function*/
{ "defer-accept", NULL, 0 },
{ "interface", NULL, 1 },
--- ../../haproxy-1.8.3/src/session.c 2017-12-30 17:13:19.000000000 +0000
+++ session.c 2018-01-12 12:35:42.000000000 +0000
@@ -141,6 +141,7 @@
cli_conn->flags |= CO_FL_ADDR_FROM_SET;
cli_conn->target = &l->obj_type;
cli_conn->proxy_netns = l->netns;
+ cli_conn->send_netns = l->send_netns;
conn_ctrl_init(cli_conn);
--- ../../../haproxy-1.8.3/include/types/connection.h 2017-12-30 17:13:19.000000000 +0000
Regards,
Tom
From: ***@baifendian.com <***@baifendian.com>
Sent: 26 February 2018 11:50
To: Aaron West <***@loadbalancer.org>
Cc: Wang Bin <***@leancloud.rocks>; haproxy <***@formilux.org>
Subject: Re: Re: haproxy tcp mode source ip
Hi:
Thank you. Is this method IP only displayed in the log? I want to control IP privileges.
________________________________
***@baifendian.com<mailto:***@baifendian.com>
åŸéèŽ
æ°æ®ä»åºå©çå·¥çšåž å¹³å°äžå¡éš
Mobile: +86-15801118167
E-mail:***@baifendian.com
BAIFENDIAN.COM<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fbaifendian.com%2F&data=02%7C01%7Ctom.maher%40asavie.com%7Cf16c0432f5144515ea9808d57d0f432f%7Cff38a05d2e5248389b077fbd50bbae9f%7C0%7C0%7C636552426874622532&sdata=iAjzstAsvPQwSoMQET1foZ49gmPCkVDDaVsnPiP0UcA%3D&reserved=0> - Big Data Practitioner
å京åžæé³åºå蟰西路8å·é¢2å·æ¥Œå蟰äžçºªäžå¿A座16å±
[cid:***@01D3AEFA.6BB509C0]
From: Aaron West<mailto:***@loadbalancer.org>
Date: 2018-02-26 18:14
To: ***@baifendian.com<mailto:***@baifendian.com>
CC: Wang Bin<mailto:***@leancloud.rocks>; haproxy<mailto:***@formilux.org>
Subject: Re: Re: haproxy tcp mode source ip
Yes, you can use TPROXY instead of Proxy Protocol if you don't mind
the additional routing changes(Need to move to two-arm with real
servers setting the GW to be the HAProxy server).
You can see an example in this short Blog here:
https://loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x/
Aaron West
Loadbalancer.org Ltd.
www.loadbalancer.org<http://www.loadbalancer.org>
+1 888 867 9504 / +44 (0)330 380 1064
***@loadbalancer.org<mailto:***@loadbalancer.org>
LEAVE A REVIEW | DEPLOYMENT GUIDES | BLOG
The message together with any files transmitted with it are intended solely for the use of the individual or entity to whom it is addressed. It may contain confidential, proprietary or privileged information. If you are not the intended recipient you are hereby notified that: (i) direct or indirect disclosure, copying, printing, distribution and/or taking any action in reliance on the contents of this message, including any files transmitted with it, is strictly prohibited and may be unlawful; and (ii) you should not disseminate, distribute or copy this message and/or any files transmitted with it. If you have received this message in error, please notify the sender immediately and then delete it, and any copies of it, from your system. Asavie Technologies Limited, Asavie Technologies, Inc and Asavie Technologies Sales Limited (together known as âAsavie Technologiesâ) reserve the right to monitor all e-mail communications through its networks. WARNING: Computer viruses can be transmitted via e-mail. You should check this e-mail and any files transmitted with it for the presence of computer viruses. Asavie Technologies cannot guarantee that this e-mail and any files transmitted with it are free of computer viruses. Asavie Technologies accepts no liability for any loss and/or damage caused by any computer virus transmitted by this e-mail and/or by any files transmitted with it. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete. Asavie Technologies does not accept liability for any errors or omissions in the contents of this message, and/or any files transmitted with it, which arise as a result of e-mail transmission.