Mike Spreitzer <mspreitz@xxxxxxxxxx> wrote: > Sorry, I was not specific enough about what I meant. I am concerned about > the cases where port translation is done. Looking at > https://github.com/torvalds/linux/blob/089cf7f6ecb266b6a4164919a2e69bd2f938374a/net/netfilter/nf_nat_core.c#L488-L491 > , it looks to me like the first port probed is chosen randomly unless ` > range->flags & NF_NAT_RANGE_PROTO_OFFSET`. And based on your other > remarks, it looks like that bit test is not going to be true for SNAT. So > is it true that in the cases where a new port needs to be chosen for SNAT, > the search is always started at a randomly chosen port? This would mean > that although iptables continues to accept `--random-fully` as an option > to `-j MASQUERADE`, it now makes no difference --- the behavior without > `--random-fully` is now the same as the behavior _with_ `--random-fully`; > that is the sense of "default" that I meant. The function in question is only supposed to be invoked when either RANDOM or RANDOM_FULLY bit is set, or if there is a collision and the tuple can't be used as-is.
