[Dnsmasq-discuss] Single-port mode for TFTP

john doe johndoe65534 at mail.com
Mon Dec 30 13:16:46 GMT 2019

On 12/30/2019 12:51 PM, kvaps wrote:
> Hi Simon,
> We're happy to use dnsmasq for organize network booting in Kubernetes, it
> have everything need: DNS-, DHCP- and TFTP-servers.
> The only problem is that TFTP protocol in its reference implementation is
> not working behind the NAT, because always sends reply packets from random
> port.
> Note that Kubernetes uses NAT for external services, so it's not possible
> to run TFTP-server for external clients there. There is one proposed
> solution for that, it suggests moving away from the RFC and implement
> --single-port option for always reply from the same port which was
> requested by the client.
> In this way, the TFTP-packets can be simple NAT'ed back to the client side.
> Take a look on unique features for go-tftp implementation:
> https://github.com/vcabbage/go-tftp#unique-features
> And its command line client:
> https://github.com/kvaps/trivialt/

Isn't the below flag what you want from (1):

A TFTP server listens on a well-known port (69) for connection
initiation, but it also uses a dynamically-allocated port for each
connection. Normally these are allocated by the OS, but this option
specifies a range of ports for use by TFTP transfers. This can be useful
when TFTP has to traverse a firewall. The start of the range cannot be
lower than 1025 unless dnsmasq is running as root. The number of
concurrent TFTP connections is limited by the size of the port range."

1)  http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

John Doe

More information about the Dnsmasq-discuss mailing list