IGD2 Port triggering on eport == iport

[andy-padavan]

Source thread:
http://miniupnp.tuxfamily.org/forum/viewtopic.php?t=1820&postdays=0&postorder=asc&start=0

After miniupnpd-1.9.20160222, each DNAT rule also will add MASQUERADE rule to MINIPNPD-POSTROUTING chain. This is big fat overhead, MASQUERADE rule needed for different ports only.

Please add condition to netfilter/iptcrdr.c, func "add_redirect_rule2":

#ifdef ENABLE_PORT_TRIGGERING
+       if (eport == iport)
+           return r;
        /* TODO : check if this should be done only with UDP */
        r = addmasqueraderule(proto, eport, iaddr, iport, rhost/*, ifname*/);
        if(r < 0) {
            syslog(LOG_NOTICE, "add_redirect_rule2(): addmasqueraderule returned %d", r);
        }
#endif /* ENABLE_PORT_TRIGGERING */

[miniupnp]

indeed I see in http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.3
that

The default behavior is to alter the connection as little as possible, within the constraints of the rule given by the user. This means we won't remap ports unless we have to.

[miniupnp]

@andy-padavan have you an opinion on
TODO : check if this should be done only with UDP ?

[andy-padavan]

Thanks.

MASQUERADE rule with is equal ports is really overhead, because POSTROUTING chain always have SNAT or MASQUERADE rule for entire LAN subnet. All outgoing traffic to WAN will be SNAT-ed.

have you an opinion on

Unfortunately I do not have Xbox One for testing. Theoretically, POSTROUTING rule with MASQUERADE ports is need only if there was no incoming traffic for DNAT-ed rule.