Default to random-fully (#1048)

README.md

@@ -184,17 +184,17 @@ private subnet and connected to the internet through an AWS NAT Gateway or anoth
 
 Type: String
 
-Default: `hashrandom`
+Default: `prng`
 
 Valid Values: `hashrandom`, `prng`, `none`
 
-Specifies whether the SNAT `iptables` rule should randomize the outgoing ports for connections\. This should be used when
-`AWS_VPC_K8S_CNI_EXTERNALSNAT=false`. When enabled (`hashrandom`) the `--random` flag will be added to the SNAT `iptables`
-rule\. To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use `prng` for the environment
-variable. For old versions of `iptables` that do not support `--random-fully` this option will fall back to `--random`.
-Disable (`none`) this functionality if you rely on sequential port allocation for outgoing connections.
+Specifies whether the SNAT `iptables` rule should randomize the outgoing ports for connections\. This setting takes effect when
+`AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, which is the default setting. The default setting for `AWS_VPC_K8S_CNI_RANDOMIZESNAT` is
+`prng`, meaning that `--random-fully` will be added to the SNAT `iptables` rule\. For old versions of `iptables` that do not
+support `--random-fully` this option will fall back to `--random`. To disable random port allocation, if you for example
+rely on sequential port allocation for outgoing connections set it to `none`.
 
-*Note*: Any options other than `none` will cause outbound connections to be assigned a source port that's not necessarily
+*Note*: Any options other than `none` will cause outbound connections to be assigned a source port that is not necessarily
 part of the ephemeral port range set at the OS level (`/proc/sys/net/ipv4/ip_local_port_range`). This is relevant for any
 customers that might have NACLs restricting traffic based on the port range found in `ip_local_port_range`.
 

pkg/networkutils/network.go

@@ -66,10 +66,10 @@ const (
 	// Defaults to empty.
 	envExcludeSNATCIDRs = "AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS"
 
-	// This environment is used to specify weather the SNAT rule added to iptables should randomize port
-	// allocation for outgoing connections. If set to "hashrandom" the SNAT iptables rule will have the "--random" flag
-	// added to it. Set it to "prng" if you want to use a pseudo random numbers, i.e. "--random-fully".
-	// Defaults to hashrandom.
+	// This environment is used to specify weather the SNAT rule added to iptables should randomize port allocation for
+	// outgoing connections. If set to "hashrandom" the SNAT iptables rule will have the "--random" flag added to it.
+	// Use "prng" if you want to use pseudo random numbers, i.e. "--random-fully".
+	// Default is "prng".
 	envRandomizeSNAT = "AWS_VPC_K8S_CNI_RANDOMIZESNAT"
 
 	// envNodePortSupport is the name of environment variable that configures whether we implement support for
@@ -578,12 +578,11 @@ func getExcludeSNATCIDRs() []string {
 }
 
 func typeOfSNAT() snatType {
-	defaultValue := randomHashSNAT
-	defaultString := "hashrandom"
+	defaultValue := randomPRNGSNAT
 	strValue := os.Getenv(envRandomizeSNAT)
 	switch strValue {
 	case "":
-		// empty means default
+		// empty means default, which is --random-fully
 		return defaultValue
 	case "prng":
 		// prng means to use --random-fully
@@ -592,14 +591,12 @@ func typeOfSNAT() snatType {
 	case "none":
 		// none means to disable randomisation (no flag)
 		return sequentialSNAT
-
-	case defaultString:
+	case "hashrandom":
 		// hashrandom means to use --random
 		return randomHashSNAT
 	default:
 		// if we get to this point, the environment variable has an invalid value
-		log.Errorf("Failed to parse %s; using default: %s. Provided string was %q", envRandomizeSNAT, defaultString,
-			strValue)
+		log.Errorf("Failed to parse %s; using default: %s. Provided string was %q", envRandomizeSNAT, "prng", strValue)
 		return defaultValue
 	}
 }