netfilter: nat: force port remap to prevent shadowing well-known ports

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2006169 CVE: CVE-2021-3773 Upstream Status: mainline Conflicts: none

Enforce port reallocation for forwarded connections in some scenarios to avoid a source port that might be in use by a local service.

The included selftest script checks this, it will show ERROR: portshadow test default: got reply from "CLIENT", not ROUTER as intended

on unpatched kernels.

Signed-off-by: Florian Westphal fwestpha@redhat.com