firewall: add option to disable fully-random mode for MASQUERADE #2281
Conversation
fully-random may prevent NAT traversal for applications running in Kubernetes. As an example of such anapplication is Tailscale, which by default tries to establish a direct peer-to-peer connection between endpoints. fully-random mode makes it impossible, so Tailscale has to use indirect connections through its DERP servers, which affects network performance. resolves flannel-io#2273
|
@ksubrmnn or @madhanrm or @rajatchopra could you please review the PR |
|
Are you using tailscale inside of a pod? The nat rule should applied only on traffic from pods to external destination. |
Hi @rbrtbnfgl Yes, we're using Tailscale operator to expose a Kubernetes cluster workload to tailnet (cluster ingress) - https://tailscale.com/kb/1439/kubernetes-operator-cluster-ingress Tailscale operator creates a deployment for every exposed service, so answering to your question it's running in Kubernetes and what's why it's affected by the NAT rules created by CNI. |
|
Hi @philips, @rajatchopra and @tomdee The PR has already been approved by the reviewers. Could you please review it and give the final approval so we can merge it into |
|
I can merge it. Please don't randomly tag people some of them aren't actively working on the project anymore. |
Hi @rbrtbnfgl. I didn't do it randomly, I've just followed the |
|
You need to fix the lint check before we can merge. |
Hi @rbrtbnfgl. I have fixed the lint check. |
3 participants
Description
fully-random may prevent NAT traversal for applications running in Kubernetes. As an example of such anapplication is Tailscale, which by default tries to establish a direct peer-to-peer connection between endpoints. fully-random mode makes it impossible, so Tailscale has to use indirect connections through its DERP servers, which affects network performance.
This should fix #2273
This is described in more detail here - tailscale/tailscale#11427
Todos
Release Note