Actually it’s simple than “NAT”, technically. Normally when we said “NAT”, it’s not just NAT (Network Address Translate), but a NAT plus a stateful firewall (see documents below). The conntrack here is a stateful firewall as in “NAT”. And compare to create a map from (paddr, pport) to (iaddr, iport) and match the later, it’s more simple to just match suffix of address.
deleted by creator
If I go for SLAAC with privacy extensions and I keep paying for a static IP (v4 & v6) to my ISP then I can’t implement any firewall rules for specific devices as devices will change their IP regularly. And its even worse if I don’t pay for a static IPv6 prefix.
I don’t know which firewall software you used. But if you use nftables, which support suffix match and conntrack for TCP/UDP, you can block all new (identified by conntrack) income (since privacy extension design for outcome) and allow income with specific suffix (for SLAAC with EUI-64, it will stable), needn’t care about which prefix was used.
Please read this article authored by maintainer of Linux kernel memory management subsystem and cgroup subsystem, Chris Down.
https://chrisdown.name/2018/01/02/in-defence-of-swap.html
And there is another article with some additional informations about swap authored by @farseerfc@sn.angry.im who tranlated the article above to Chinese.
https://farseerfc.me/followup-about-swap.html (only Chinese version available)