On Mon, Jan 29, 2024 at 09:12:54PM +0000, Kyle Swenson wrote: > When a DNAT rule is configured via iptables with different port ranges, > > iptables -t nat -A PREROUTING -p tcp -d 10.0.0.2 -m tcp --dport 32000:32010 > -j DNAT --to-destination 192.168.0.10:21000-21010 > > we seem to be DNATing to some random port on the LAN side. While this is > expected if --random is passed to the iptables command, it is not > expected without passing --random. The expected behavior (and the > observed behavior in v4.4) is the traffic will be DNAT'd to > 192.168.0.10:21000 unless there is a tuple collision with that > destination. In that case, we expect the traffic to be instead DNAT'd > to 192.168.0.10:21001, so on so forth until the end of the range. > > This patch is a naive attempt to restore the behavior seen in v4.4. I'm > hopeful folks will point out problems and regressions this could cause > elsewhere, since I've little experience in the net tree. Would you post this without RFC tag and add provide a Fixes: tag. Thanks.
