I found this thread because I ran into a problem with a brand-new installation of Kubernetes (K8s) running in AWS that was failing a large number of browser requests being serviced by the K8s cluster. There is a ton of detail about this problem at https://tech.xing.com/a-reason-for- unexplained-connection-timeouts-on-kubernetes-docker-abd041cf7e02. To make a very long story short, we need the 1.6.2+ version of iptables on Ubuntu because it supports the --random-fully flag. Without this, any K8s cluster created on Ubuntu is pretty useless if you use local DNS to resolve cluster services by name (e.g. http://my-backend-microservice), which is what we do to support namespaces for reverse proxies (nginx).
I manually built iptables 1.6.2 using the instructions at http://www.linuxfromscratch.org/blfs/view/8.2/postlfs/iptables.html and my problem appears to be solved. It would be great if the change could be backported into bionic, but at the minimum getting this into the next LTS then that would be great. If it makes any difference, iptables in Debian buster is at 1.8.2-4. They have a planned release in, oh look at that, two days :-) As for test cases, in this particular instance it's sufficient that when using the --random-fully flag to set up a NAT masquerading rule that the NF_NAT_RANGE_PROTO_RANDOM_FULLY flag is set. I can't say what the regression potential is, but since it's a minor release then I'd expect it to be minimal. The diffs are at https://www.netfilter.org/projects/iptables/files/patch- iptables-1.6.1-1.6.2.bz2 Here are some details of my installation: ubuntu@kubernetes-master:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.2 LTS Release: 18.04 Codename: bionic ubuntu@kubernetes-master:~$ uname -a Linux kubernetes-master 4.15.0-1043-aws #45-Ubuntu SMP Mon Jun 24 14:07:03 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1805543 Title: Packaged version of iptables doesn't provide --random-fully flag. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/1805543/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
