netfilter: nat: force port remap to prevent shadowing well-known ports
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2006169 CVE: CVE-2021-3773 Upstream Status: mainline Conflicts: none
Enforce port reallocation for forwarded connections in some scenarios to avoid a source port that might be in use by a local service.
The included selftest script checks this, it will show ERROR: portshadow test default: got reply from "CLIENT", not ROUTER as intended
on unpatched kernels.
Signed-off-by: Florian Westphal fwestpha@redhat.com