Page MenuHomeVyOS Platform
Create Task
Maniphest T6345

Source NAT Port Mapping setting of Fully-Random is superfluous in Kernels 5.0 onwards
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

A source nat port-mapping rule gives the following 3 options:

tim@ferrari# set nat source rule 1000 translation options port-mapping 
Possible completions:
   random               Randomize source port mapping
   fully-random         Full port randomization
   none                 Do not apply port randomization (default)

However the documentation for nftables clearly states that from Kernel 5.0+ that random and fully-random do the same thing. Please see Table 71 - "NAT statement flags" which states:

random - In kernel 5.0 and newer this is the same as fully-random. In earlier kernels the port mapping will be randomized using a seeded MD5 hash mix using source and destination address and destination port.

Therefore due to the fact that 1.3 (the above is true for iptables as well) and 1.4 use kernels greater than 5.0, the "fully-random" statement can be remove from the cli/settings as it not required and may confuse users.

Details

Difficulty level
Normal (likely a few hours)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Behavior change

Related Objects

Event Timeline

tjh created this task.May 15 2024, 10:14 PM
Viacheslav triaged this task as Normal priority.May 16 2024, 7:10 AM
pasik subscribed.May 16 2024, 9:09 AM
c-po claimed this task.May 19 2024, 7:45 PM
c-po changed Difficulty level from Unknown (require assessment) to Normal (likely a few hours).
c-po added a project: VyOS 1.5 Circinus.May 22 2024, 7:12 PM
c-po added a comment.May 22 2024, 7:36 PM

https://github.com/vyos/vyos-1x/pull/3507

Restricted Repository Identity mentioned this in rVYOSONEX5678e37fd0b3: Merge pull request #3507 from c-po/nat-T6345.May 23 2024, 9:23 AM
c-po mentioned this in rVYOSONEX7fe568ca1672: nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel >=5..May 23 2024, 9:23 AM
Restricted Repository Identity mentioned this in rVYOSONEX2c94114a3fe1: nat: T6345: source NAT port mapping "fully-random" is superfluous in Kernel >=5..May 23 2024, 2:19 PM
Restricted Repository Identity mentioned this in rVYOSONEX371517c4dcf9: Merge pull request #3511 from vyos/mergify/bp/sagitta/pr-3507.May 23 2024, 2:49 PM
c-po closed this task as Resolved.May 25 2024, 6:24 AM
c-po moved this task from Open to Finished on the VyOS 1.5 Circinus board.
c-po moved this task from Open to 1.4.0-GA on the VyOS 1.4 Sagitta board.
c-po edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.
c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta (1.4.0-GA) board.