currently source ports do not get changed during source-NAT:
15:18:50.762235 vlan776 In IP 10.67.144.1.44819 > 141.1.1.1.80: Flags [S], seq 2793823730, win 35840, options [mss 8960,sackOK,TS val 366183215 ecr 0,nop,wscale 14], length 0
15:18:50.762308 vlan104009 Out IP 212.34.85.43.44819 > 141.1.1.1.80: Flags [S], seq 2793823730, win 35840, options [mss 8960,sackOK,TS val 366183215 ecr 0,nop,wscale 14], length 0
and calico is configured by gardener-extension-provider-calico to only use half of the possible source ports for NAT:
- name: FELIX_NATPORTRANGE
value: "32768:65535"
On clusters with a lot of nodes and with a lot of connections to the same backend, this can lead to too early reuse of source ports, which then get dropped by the target or by a firewall in between.
currently source ports do not get changed during source-NAT:
and calico is configured by gardener-extension-provider-calico to only use half of the possible source ports for NAT:
On clusters with a lot of nodes and with a lot of connections to the same backend, this can lead to too early reuse of source ports, which then get dropped by the target or by a firewall in between.