> No, the default behaviour (no port translation if tuple is unused) has not > changed. Sorry, I was not specific enough about what I meant. I am concerned about the cases where port translation is done. Looking at https://github.com/torvalds/linux/blob/089cf7f6ecb266b6a4164919a2e69bd2f938374a/net/netfilter/nf_nat_core.c#L488-L491 , it looks to me like the first port probed is chosen randomly unless ` range->flags & NF_NAT_RANGE_PROTO_OFFSET`. And based on your other remarks, it looks like that bit test is not going to be true for SNAT. So is it true that in the cases where a new port needs to be chosen for SNAT, the search is always started at a randomly chosen port? This would mean that although iptables continues to accept `--random-fully` as an option to `-j MASQUERADE`, it now makes no difference --- the behavior without `--random-fully` is now the same as the behavior _with_ `--random-fully`; that is the sense of "default" that I meant. Thanks, Mike
