Michael Shuey wrote: > In this scenario, think about the tuple for a moment. Since all clients > and the natbox are mounting the same NFS server, selecting the same port by > default, using UDP across the board, the connection tuples are (after SNAT) > going to be very similar - they only differ in srcport. Normally that > would be just fine; however, with a high level of traffic the NAT system > would occaisionally select a srcport that was already in use by the NFS > client local to natbox. That's not fine - it causes quite a few NFS > timeouts, retransmits, etc. on natbox.
This is handled fine in all tests I have done provided your SNAT rule applies to both forwarded and locally originating packets. If however your UDP nat entries times out from conntrack, which they can easily do for a idle NFS mount, then all bets is off.. The default udp timeout is only 180 seconds which is not by far sufficient for multi-client NAT of NFS. A typical case where conntrack by default cannot easily know a suitable timeout without additional information. Regards Henrik
