diff --git a/nat.nft b/nat.nft
index 7079893..d8e152d 100644
--- a/nat.nft
+++ b/nat.nft
@@ -18,13 +18,22 @@ table ip nftables_svc {
 		elements = { 192.168.122.0/24 }
 	}
 
+	# [CVE-2021-3773] force port randomization for non-locally originated
+	# connections using suspicious port values to prevent port-shadow
+	# attacks, i.e. accidental matching of new inbound connections vs.
+	# existing ones
+	chain do_masquerade {
+		meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
+		masquerade
+	}
+
 	# base-chain to manipulate conntrack in postrouting,
 	# will see packets for new or related traffic only
 	chain POSTROUTING {
 		type nat hook postrouting priority srcnat + 20
 		policy accept
 
-		iifname @masq_interfaces oifname != @masq_interfaces masquerade
-		ip saddr @masq_ips masquerade
+		iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
+		ip saddr @masq_ips jump do_masquerade
 	}
 }
diff --git a/nftables.spec b/nftables.spec
index f378691..0bac394 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,6 +1,6 @@
 Name:           nftables
 Version:        1.0.1
-Release:        3%{?dist}
+Release:        4%{?dist}
 # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
 Epoch:          1
 Summary:        Netfilter Tables userspace utilites
@@ -131,6 +131,9 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/
 
 %changelog
+* Tue Mar 08 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.1-4
+- Prevent port-shadow attacks in sample nat config. Fixes rhbz#2061917
+
 * Thu Feb 03 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.1-3
 - Ship a more advanced default config. Fixes rhbz#1999596