Florian Westphal <fw@xxxxxxxxx> wrote: > This series allows conntrack to insert a duplicate conntrack entry > if the reply direction doesn't result in a clash with a different > original connection. > > Background: > > kubernetes creates load-balancing rules for DNS using > -m statistics, e.g.: > -p udp --dport 53 -m statistics --mode random ... -j DNAT --to-destination x > -p udp --dport 53 -m statistics --mode random ... -j DNAT --to-destination y > > When the resolver sends an A and AAAA request back-to-back from > different threads on the same socket, this has a high chance of a connection > tracking clash at insertion time. > > This in turn results in a drop of the clashing udp packet which then > results in a 5 second DNS timeout. I'd really like to get feedback for this patch set. If its deemed unacceptable thats OK, at least I can then tell users they must change their rulesets to make this work. If someone has alternative ideas on how to resolve this I'd be interested as well.
