WIP: Enable listening in a network namespace

Add a netns configuration parameter to specify a network namespace where the
socket should be listening.

src/SquidConfig.h

@@ -558,6 +558,8 @@ class SquidConfig
         int connect_gap;
         int connect_timeout;
     } happyEyeballs;
+
+    char *netns;
 };
 
 extern SquidConfig Config;

src/cf.data.pre

@@ -6010,6 +6010,15 @@ DOC_START
         sent before the required macro information is available to Squid.
 DOC_END
 
+NAME: netns
+TYPE: string
+LOC: Config.netns
+DEFAULT: none
+DOC_START
+        Listen in this network namespace. Argument should be
+        a file (for example "/var/run/netns/mynetworknamespace").
+DOC_END
+
 NAME: store_id_children storeurl_rewrite_children
 TYPE: HelperChildConfig
 DEFAULT: 20 startup=0 idle=1 concurrency=0

src/comm.cc

@@ -348,9 +348,29 @@ comm_openex(int sock_type,
 
     debugs(50, 3, "comm_openex: Attempt open socket for: " << addr );
 
+#ifndef NO_USE_NS
+    // prepare to switch to a different network namespace. Leak file descriptors
+    int default_namespace = 0, ns_fd = 0;
+    if (Config.netns) {
+        debugs(50, 3, "comm_openex: Will switch to namespace of file " << Config.netns );
+        default_namespace = open("/proc/self/ns/net", O_RDONLY);
+        ns_fd = open(Config.netns, O_RDONLY);
+
+        if (-1 == setns(ns_fd, CLONE_NEWNET))
+            debugs(50, 3, "comm_openex: setns failed: " << xstrerr(errno));
+    }
+#endif
+
     new_socket = socket(AI->ai_family, AI->ai_socktype, AI->ai_protocol);
     int xerrno = errno;
 
+#ifndef NO_USE_NS
+    if (Config.netns) {
+        if (-1 == setns(default_namespace, CLONE_NEWNET))
+            debugs(50, 3, "comm_openex: setns default failed: " << xstrerr(errno));
+    }
+#endif
+
     /* under IPv6 there is the possibility IPv6 is present but disabled. */
     /* try again as IPv4-native if possible */
     if ( new_socket < 0 && Ip::EnableIpv6 && addr.isIPv6() && addr.setIPv4() ) {