
Ask HN: Containers and network access? - zaroth
Tuning for any high load, the first thing you need to do is turn off conntrack. But then you lose DNAT. Yet every container network guide depends on iptables and DNAT?!<p>What&#x27;s the docker approved way to flatten the network and get routing directly to the container services? Or are people actually running with conntrack and DNAT in production? It seems like it can have a significant impact, which is why I&#x27;m seeking alternatives...<p>On another note... It seems like the ECMP fix is going to be coming to the kernel soon, there&#x27;s a lot of hardware which will be ECMP capable, so that should hit the masses. I wish it were here sooner!
======
DanielDent
A docker container can run in host networking mode.

You could also disable the DNAT and route IPs to your containers. Docker uses
network namespaces to create a bridge to the actual ethernet card - the DNAT
part of things is only one possible configuration.

IPv6 makes it easier to have routable addresses.

The right choice is going to depend on the available infrastructure,
performance requirements, workload profile, ...

But really, in most environments, connection tracking simply isn't the
bottleneck. Where it is, configure your systems not to use it.

