Docker Community Forums

Share and learn in the Docker community.

What would be the consequences of this hack?

I have a host behind a NAT which I’d like to join to a Swarm overlay network. I don’t have ability to add forwarding rules to this NAT, so I can’t forward 4789/udp needed for the overlay; however, no UDP ports are outright blocked. So when my host behind the NAT sends an outgoing UDP packet from source port N, if an incoming packet comes back to the NAT with dest port N then it does get routed back to the original host correctly. Even if the NAT rewrites the port from N to M, if the packet comes back to M it’ll work (see also this)

VXLAN, however, always sends to dest port 4789, but randomizes the source ports. So what if I hacked it so that on my manager node, instead of sending UDP packets to workers on 4789, it sent it to the source port listed in the most recent incoming packet from the worker? Then I believe this would ensure the packets are routed back correctly, even if the worker is behind a NAT. The trade-off is that the worker needs to send the first packet so the manager knows the port. Also, some packets might be lost if the source port changes, but that’s fine.

So would this work, or have other consequences I haven’t thought of? I’ve read VXLAN uses the source port for something related to load-balancing but I don’t fully understand it.