From a0da387f03f1fb618fb58eb47de0e10949c6133f Mon Sep 17 00:00:00 2001 From: Claes Mogren Date: Wed, 24 Jun 2020 12:30:45 -0700 Subject: [PATCH] Default to random-fully (#1048) --- README.md | 14 +++++++------- pkg/networkutils/network.go | 19 ++++++++----------- 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 7c02673765..416693d6f4 100644 --- a/README.md +++ b/README.md @@ -184,17 +184,17 @@ private subnet and connected to the internet through an AWS NAT Gateway or anoth Type: String -Default: `hashrandom` +Default: `prng` Valid Values: `hashrandom`, `prng`, `none` -Specifies whether the SNAT `iptables` rule should randomize the outgoing ports for connections\. This should be used when -`AWS_VPC_K8S_CNI_EXTERNALSNAT=false`. When enabled (`hashrandom`) the `--random` flag will be added to the SNAT `iptables` -rule\. To use pseudo random number generation rather than hash based (i.e. `--random-fully`) use `prng` for the environment -variable. For old versions of `iptables` that do not support `--random-fully` this option will fall back to `--random`. -Disable (`none`) this functionality if you rely on sequential port allocation for outgoing connections. +Specifies whether the SNAT `iptables` rule should randomize the outgoing ports for connections\. This setting takes effect when +`AWS_VPC_K8S_CNI_EXTERNALSNAT=false`, which is the default setting. The default setting for `AWS_VPC_K8S_CNI_RANDOMIZESNAT` is +`prng`, meaning that `--random-fully` will be added to the SNAT `iptables` rule\. For old versions of `iptables` that do not +support `--random-fully` this option will fall back to `--random`. To disable random port allocation, if you for example +rely on sequential port allocation for outgoing connections set it to `none`. -*Note*: Any options other than `none` will cause outbound connections to be assigned a source port that's not necessarily +*Note*: Any options other than `none` will cause outbound connections to be assigned a source port that is not necessarily part of the ephemeral port range set at the OS level (`/proc/sys/net/ipv4/ip_local_port_range`). This is relevant for any customers that might have NACLs restricting traffic based on the port range found in `ip_local_port_range`. diff --git a/pkg/networkutils/network.go b/pkg/networkutils/network.go index 5be2d8d195..b711fc9f6d 100644 --- a/pkg/networkutils/network.go +++ b/pkg/networkutils/network.go @@ -66,10 +66,10 @@ const ( // Defaults to empty. envExcludeSNATCIDRs = "AWS_VPC_K8S_CNI_EXCLUDE_SNAT_CIDRS" - // This environment is used to specify weather the SNAT rule added to iptables should randomize port - // allocation for outgoing connections. If set to "hashrandom" the SNAT iptables rule will have the "--random" flag - // added to it. Set it to "prng" if you want to use a pseudo random numbers, i.e. "--random-fully". - // Defaults to hashrandom. + // This environment is used to specify weather the SNAT rule added to iptables should randomize port allocation for + // outgoing connections. If set to "hashrandom" the SNAT iptables rule will have the "--random" flag added to it. + // Use "prng" if you want to use pseudo random numbers, i.e. "--random-fully". + // Default is "prng". envRandomizeSNAT = "AWS_VPC_K8S_CNI_RANDOMIZESNAT" // envNodePortSupport is the name of environment variable that configures whether we implement support for @@ -578,12 +578,11 @@ func getExcludeSNATCIDRs() []string { } func typeOfSNAT() snatType { - defaultValue := randomHashSNAT - defaultString := "hashrandom" + defaultValue := randomPRNGSNAT strValue := os.Getenv(envRandomizeSNAT) switch strValue { case "": - // empty means default + // empty means default, which is --random-fully return defaultValue case "prng": // prng means to use --random-fully @@ -592,14 +591,12 @@ func typeOfSNAT() snatType { case "none": // none means to disable randomisation (no flag) return sequentialSNAT - - case defaultString: + case "hashrandom": // hashrandom means to use --random return randomHashSNAT default: // if we get to this point, the environment variable has an invalid value - log.Errorf("Failed to parse %s; using default: %s. Provided string was %q", envRandomizeSNAT, defaultString, - strValue) + log.Errorf("Failed to parse %s; using default: %s. Provided string was %q", envRandomizeSNAT, "prng", strValue) return defaultValue } }