On Thu, Dec 16, 2021 at 04:28:16PM +0100, Florian Westphal wrote: > If destination port is above 32k and source port below 16k > assume this might cause 'port shadowing' where a 'new' inbound > connection matches an existing one, e.g. > > inbound X:41234 -> Y:53 matches existing conntrack entry > Z:53 -> X:4123, where Z got natted to X. > > In this case, new packet is natted to Z:53 which is likely > unwanted. > > We avoid the rewrite for connections that originate from local host: > port-shadowing is only possible with forwarded connections. > > Also adjust test case. > > v3: no need to call tuple_force_port_remap if already in random mode > > Cc: Eric Garver <eric@xxxxxxxxxxx> > Cc: Phil Sutter <phil@xxxxxx> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> Acked-by: Phil Sutter <phil@xxxxxx> Thanks for the quick follow-up!
