I found this thread because I ran into a problem with a brand-new installation of Kubernetes (K8s) running in AWS that was failing a large number of browser requests being serviced by the K8s cluster. There is a ton of detail about this problem at https://tech.xing.com/a-reason-for- unexplained-connection-timeouts-on-kubernetes-docker-abd041cf7e02. To make a very long story short, we need the 1.6.2+ version of iptables on Ubuntu because it supports the --random-fully flag. Without this, any K8s cluster created on Ubuntu is pretty useless if you use local DNS to resolve cluster services by name (e.g. http://my-backend-microservice), which is what we do to support namespaces for reverse proxies (nginx).
I manually built iptables 1.6.2 using the instructions at http://www.linuxfromscratch.org/blfs/view/8.2/postlfs/iptables.html and my problem appears to be solved. It would be great if the change could be backported into bionic, but at the minimum getting this into the next LTS then that would be great. If it makes any difference, iptables in Debian buster is at 1.8.2-4. They have a planned release in, oh look at that, two days :-) As for test cases, in this particular instance it's sufficient that when using the --random-fully flag to set up a NAT masquerading rule that the NF_NAT_RANGE_PROTO_RANDOM_FULLY flag is set. I can't say what the regression potential is, but since it's a minor release then I'd expect it to be minimal. The diffs are at https://www.netfilter.org/projects/iptables/files/patch- iptables-1.6.1-1.6.2.bz2 Here are some details of my installation: ubuntu@kubernetes-master:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.2 LTS Release: 18.04 Codename: bionic ubuntu@kubernetes-master:~$ uname -a Linux kubernetes-master 4.15.0-1043-aws #45-Ubuntu SMP Mon Jun 24 14:07:03 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to iptables in Ubuntu. https://bugs.launchpad.net/bugs/1805543 Title: Packaged version of iptables doesn't provide --random-fully flag. Status in iptables package in Ubuntu: Confirmed Bug description: Hello. This isn't strictly a bug, but more of an upgrade-request on the iptables package. Normally i wouldn't be inclined to submit such a bug report, but a user on the ubuntu-devel-discuss mailing list encouraged me to submit this anyway [1]. For our production systems, we're running into a kernel race condition bug, for which a workaround has been made available. The fix boils down to iptables having a new flag which it passes down to the kernel, to enable the workaround. However, the version of iptables in Ubuntu (v1.6.1) doesn't support that kernel feature yet. Specifically, it's introduced in this commit on the iptables codebase: https://git.netfilter.org/iptables/commit/?id=8b0da2130b8af3890ef20afb2305f11224bb39ec. The feature we need from that commit is part of the v1.6.2 and newer iptables releases, but it looks like the Bionic, Cosmic, and Disco releases of Ubuntu all include v1.6.1 without that patch, so for now we're going to have to build iptables from source on our production machines. That shouldn't pose any huge issues, but of course, we'd prefer to be able to use the package from package management, or perhaps a backported package from a newer Ubuntu release. So to summarise, this might be an invalid bug report, but consider it a vote to upgrade the packaged version of iptables. If this bug report is entirely inappropriate, then I apologise. 1. Link to thread on ubuntu-devel-discuss where I describe the problem and Nish suggests I file this bug report: https://lists.ubuntu.com/archives/ubuntu-devel- discuss/2018-November/018181.html Ubuntu version we're using: Description: Ubuntu 18.04.1 LTS Release: 18.04 $ apt-cache policy iptables iptables: Installed: 1.6.1-2ubuntu2 Candidate: 1.6.1-2ubuntu2 Version table: *** 1.6.1-2ubuntu2 500 500 http://us-west-2.ec2.archive.ubuntu.com/ubuntu bionic/main amd64 Packages 100 /var/lib/dpkg/status Thanks for your time, Paul To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1805543/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
