What happens to open TCP sessions when a DNAT endpoint is removed in iptables

michelesr

7/24/23, 12:17 PM

In Kubernetes, when kube-proxy is configured in iptables mode, it will create DNAT rules to forward packets to the service endpoints (the pod IPs). If the service changes its endpoints, and one endpoint is removed, would that affect existing open TCP sockets, or is the kernel stateful in a way that remembers those sessions and they are kept alive until closed by one of the two peers?

0 + 0

linux

iptables

kubernetes

michelesr

7/25/23, 12:24 PM

I ended up doing some testing on Kubernetes backed by AWS ALB, and looks like the connection is kept alive even after the service endpoint (and related iptables DNAT rule), so I guess it means that the linux networking subsystem is stateful and remembers sessions.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What happens to open TCP sessions when a DNAT endpoint is removed in iptables

TH: จะเกิดอะไรขึ้นกับการเปิดเซสชัน TCP เมื่อจุดสิ้นสุด DNAT ถูกลบใน iptables

RO: Ce se întâmplă cu sesiunile TCP deschise când un punct final DNAT este eliminat din iptables

RU: Что происходит с открытием сеансов TCP при удалении конечной точки DNAT в iptables

VI: Điều gì xảy ra để mở phiên TCP khi điểm cuối DNAT bị xóa trong iptables

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.