On Tue, 14 Jan 2020, Florian Westphal wrote: > Kadlecsik József <kadlec@xxxxxxxxxxxxxxxxx> wrote: > > However, I think there's a general already available solution in iptables: > > force the same DNAT mapping for the packets of the same socket by the > > HMARK target. Something like this: > > > > -t raw -p udp --dport 53 -j HMARK --hmark-tuple src,sport \ > > --hmark-mod 1 --hmark-offset 10 --hmark-rnd 0xdeafbeef > > -t nat -p udp --dport 53 -m state --state NEW -m mark --mark 10 -j DNAT .. > > -t nat -p udp --dport 53 -m state --state NEW -m mark --mark 11 -j DNAT .. > > Yes, HMARK and -m cluster both work, nft has jhash expression. > So we already have alternatives to provide consistent nat mappings. > > I doubt that kubernetes will change their rulesets, however. That'd be sad - those rules are surely not carved in stone... [By the way, I'd go even further and leave out DNAT completely: put the real nameservers into resolv.conf and be done with it. musl connects them parallel anyway and glibc supports the rotate options for ages. What else would remain for DNAT? "Hide" the real IP addresses of the name servers? That's just pointless.] Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary
