[Swan-dev] has iptables SNAT started assigning random ports?

Paul Wouters paul at nohats.ca
Wed Sep 25 02:02:39 UTC 2019

On Tue, 24 Sep 2019, Andrew Cagney wrote:

> Subject: [Swan-dev] has iptables SNAT started assigning random ports?
> see https://testing.libreswan.org/v3.28-839-g49ccf4dde-master/ikev2-32-nat-rw-rekey/OUTPUT/east.console.verbose.txt
> nic# iptables -t nat -A POSTROUTING -s -p udp --sport
> 4500 -j SNAT --to-source
> I'm guessing that, in the past, the first port - 3500 - was assigned
> but now a random port - in the above 3633 - is being assigned

> PS: I need to tweak a sanitizer so that 3500 isn't sanitized but
> that's not the problem here.
> PPS: I wish we used 3-digit port numbers in these tests, usermode is
> dead and we're running as root

commit ec4eabf7c5a0030d684bbb52abf9cf5d12bc9380
Author: Paul Wouters <pwouters at redhat.com>
Date:   Mon Jul 8 23:07:16 2019 -0400

     testing: sanitizers: only sanitize 5 digit ephemeral source ports.

     We have too many of the same rules to sanitize this :/

So if you make it start at 32768, they should get sanitized as ephemeral


More information about the Swan-dev mailing list