On Mon, 3 Mar 2025, at 6:16 PM, Chris Hall wrote: > I'm trying to understand what ports the netfilter snat will map TCP/UDP > connections to. I've tried, but failed, to find answers elsewhere :-( > > --------------- > > For iptables the SNAT target may be set: > > --to-source [ipaddr[-ipaddr]][:port[-port]] > > where [according to iptables-extensions(8)]: > > "If no port range is specified, then source ports below 512 will > be mapped to other ports below 512: those between 512 and 1023 > inclusive will be mapped to ports below 1024, and other ports > will be mapped to 1024 or above. Where possible, no port > alteration will occur." > > Is the nftables snat the same ?? Yes. https://github.com/torvalds/linux/blob/adc218676eef25575469234709c2d87185ca223a/net/netfilter/nf_nat_core.c#L641 > > If a port range is specified, will all source ports be forced into that > range ?? Yes. https://github.com/torvalds/linux/blob/adc218676eef25575469234709c2d87185ca223a/net/netfilter/nf_nat_core.c#L659 > Or are source ports below 1024 still mapped separately ?? No. > > Then there are the /proc/sys/net/ipv4 entries: > > ip_local_port_range: 32768 60999 > ip_local_reserved_ports: <empty> > ip_unprivileged_port_start: 1024 > > Do these interact with the source port mapping for snat at all ?? Not directly, no. > > RFC's 4787 & 5382 REQUIRE "Endpoint-Independent Mapping". Is that > supported ?? I'll defer on this question as I have yet to read the RFCs in full. -- Kerin Millar
