Kadlecsik József <kadlec@xxxxxxxxxxxxxxxxx> wrote: > However, I think there's a general already available solution in iptables: > force the same DNAT mapping for the packets of the same socket by the > HMARK target. Something like this: > > -t raw -p udp --dport 53 -j HMARK --hmark-tuple src,sport \ > --hmark-mod 1 --hmark-offset 10 --hmark-rnd 0xdeafbeef > -t nat -p udp --dport 53 -m state --state NEW -m mark --mark 10 -j DNAT .. > -t nat -p udp --dport 53 -m state --state NEW -m mark --mark 11 -j DNAT .. Yes, HMARK and -m cluster both work, nft has jhash expression. So we already have alternatives to provide consistent nat mappings. I doubt that kubernetes will change their rulesets, however.
