Using socat to proxy abstract-namespace UNIX sockets across network namespaces

Question

I have a system service that listens for commands on a UNIX domain socket in the abstract namespace. I now need to access this from a process in another network namespace. Because the socket is in the abstract namespace, it is network-namespace-specific.

I can sort of get this to work with socat:

socat ABSTRACT-CONNECT:@proxy-socket EXEC:'"ip netns exec my-netns socat STDIO ABSTRACT-LISTEN:@proxy-socket,nofork"'

This correctly listens on the socket in my namespace and proxies a connection through to the actual socket in the default namespace. But it will only do it for one connection; once that connection is closed, socat will exit.

I could do it like this:

socat ABSTRACT-LISTEN:@prooy-socket,fork EXEC:'"ip netns exec default socat STDIO ABSTRACT-CONNECT @proxy-socket,nofork"'

if ip netns exec provided a way to exec a process in the default namespace, but it seems it doesn't.

Is there a better way of going about this?

Answer 1

What if instead of using an EXEC target in socat, you just use a shared filesystem location and a unix socket?

For example, if I have two network namespaces:

ip netns add red
ip netns add blue

And an abstract socket listening in red:

while :; do date; sleep 1; done |
ip netns exec red socat abstract-listen:@example,fork -

I can run a proxy that connects the abstract socket to a unix socket in a shared filesystem location:

ip netns exec red socat \
  abstract-connect:@example unix-listen:/tmp/socket,fork

And then in the blue namespace I can proxy that unix socket to an abstract socket:

ip netns exec blue socat \
  unix-connect:/tmp/socket abstract-listen:@example,fork

Now I can connect to the abstract socket in the blue namespace and see the data flowing into the abstract socket in the red namespace:

$ ip netns exec blue socat abstract-connect:@example -
Sun Jan 29 09:45:42 AM EST 2023
Sun Jan 29 09:45:43 AM EST 2023
Sun Jan 29 09:45:44 AM EST 2023