netfilter: nat: restore default DNAT behavior

JIRA: https://issues.redhat.com/browse/RHEL-115630
Upstream Status: commit 0f1ae28

commit 0f1ae28
Author: Kyle Swenson <kyle.swenson@est.tech>
Date:   Thu Feb 8 23:56:31 2024 +0000

    netfilter: nat: restore default DNAT behavior

    When a DNAT rule is configured via iptables with different port ranges,

    iptables -t nat -A PREROUTING -p tcp -d 10.0.0.2 -m tcp --dport 32000:32010
    -j DNAT --to-destination 192.168.0.10:21000-21010

    we seem to be DNATing to some random port on the LAN side. While this is
    expected if --random is passed to the iptables command, it is not
    expected without passing --random.  The expected behavior (and the
    observed behavior prior to the commit in the "Fixes" tag) is the traffic
    will be DNAT'd to 192.168.0.10:21000 unless there is a tuple collision
    with that destination.  In that case, we expect the traffic to be
    instead DNAT'd to 192.168.0.10:21001, so on so forth until the end of
    the range.

    This patch intends to restore the behavior observed prior to the "Fixes"
    tag.

    Fixes: 6ed5943 ("netfilter: nat: remove l4 protocol port rovers")
    Signed-off-by: Kyle Swenson <kyle.swenson@est.tech>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Signed-off-by: Florian Westphal <fwestpha@redhat.com>

Author: fw-strlen

net/netfilter/nf_nat_core.c

@@ -544,8 +544,11 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
 find_free_id:
 	if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
 		off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
-	else
+	else if ((range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL) ||
+		 maniptype != NF_NAT_MANIP_DST)
 		off = prandom_u32();
+	else
+		off = 0;
 
 	attempts = range_size;
 	if (attempts > NF_NAT_MAX_ATTEMPTS)