Calico: support for NF_NAT_RANGE_PROTO_RANDOM_FULLY in SNAT rules

Created on 16 Jul 2018  路  3Comments  路  Source: projectcalico/calico

There is a race condition in a netfilter code where one of simultaneous connections to the same dest host/port get rejected. This is visible, when DNS requests are made and searchdomains are configured , then multiple simultaneous DNS requests are done, some of which got rejected and have to be retried.

Workaround seems to be using SNAT --random-fully (unfortunately there seem to be no support for --random-fully flag for MASQUERADE target)

More details:
https://tech.xing.com/a-reason-for-unexplained-connection-timeouts-on-kubernetes-docker-abd041cf7e02
https://blog.quentin-machu.fr/2018/06/24/5-15s-dns-lookups-on-kubernetes/

Most helpful comment

Hi all,
any update on this? We're seeing the same issue and we'd like to understand if it's something Calico would be happy to pick up

All 3 comments

Hi all,
any update on this? We're seeing the same issue and we'd like to understand if it's something Calico would be happy to pick up

Thanks for the nice article!

According to that, it sounds like we'd need to use a patched version if iptables to set this option?

I don't see why we shouldn't try to fix this, but probably needs some thought into compatibility.

CC @fasaxc

Was this page helpful?
0 / 5 - 0 ratings