Mike Spreitzer <mspreitz@xxxxxxxxxx> wrote: > In the Linux 4.X kernels I see the concept of RANDOM_FULLY masquerading, > as in > https://github.com/torvalds/linux/blob/8fe28cb58bcb235034b64cbbb7550a8a43fd88be/net/netfilter/nf_nat_proto_common.c#L84-L85 > . But in the 5.X kernels I do not see the nf_nat code testing ` > range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY`. Is that the default > behavior now, used unless `range->flags & NF_NAT_RANGE_PROTO_OFFSET` ? No, the default behaviour (no port translation if tuple is unused) has not changed. > What sets `range->flags & NF_NAT_RANGE_PROTO_OFFSET` ? Seems its not even documented, maybe we can remove it. I see its set from DNAT target, but I don't recall what its good for. > `iptables` command still accept `-j MASQUERADE --random-fully`? Yes. > If not, > what version of iptables dropped that? I see the conntrack code still > propagating this bit into some OVS flags; what's that about? Is there any > documentation of this stuff? --random and --random-fully are now doing the same thing internally: they pick a new, random, source port.
