Page MenuHomeVyOS Platform

Source NAT Port Mapping setting of Fully-Random is superfluous in Kernels 5.0 onwards
Closed, ResolvedPublicFEATURE REQUEST

Description

A source nat port-mapping rule gives the following 3 options:

tim@ferrari# set nat source rule 1000 translation options port-mapping 
Possible completions:
   random               Randomize source port mapping
   fully-random         Full port randomization
   none                 Do not apply port randomization (default)

However the documentation for nftables clearly states that from Kernel 5.0+ that random and fully-random do the same thing. Please see Table 71 - "NAT statement flags" which states:

random - In kernel 5.0 and newer this is the same as fully-random. In earlier kernels the port mapping will be randomized using a seeded MD5 hash mix using source and destination address and destination port.

Therefore due to the fact that 1.3 (the above is true for iptables as well) and 1.4 use kernels greater than 5.0, the "fully-random" statement can be remove from the cli/settings as it not required and may confuse users.

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Behavior change

Event Timeline

Viacheslav triaged this task as Normal priority.Thu, May 16, 7:10 AM
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po moved this task from Need Triage to Finished on the VyOS 1.5 Circinus board.
c-po moved this task from Need Triage to 1.4.0-GA on the VyOS 1.4 Sagitta board.
c-po edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-GA) board.