SNAT, Use alternative forwarding path via nftables flowtable (fastpath bypass)
userspace process ^ | | | _____|____ ____\/___ / \ / \ | input | | output | \__________/ \_________/ ^ | | | _________ __________ --------- _____\/_____ / \ / \ |Routing | / \ --> ingress ---> prerouting ---> |decision| | postrouting |--> neigh_xmit \_________/ \__________/ ---------- \____________/ ^ | ^ | ^ | flowtable | ____\/___ | | | | / \ | | __\/___ | | forward |------------ | |-----| | \_________/ | |-----| | 'flow offload' rule | |-----| | adds entry to | |_____| | flowtable | | | | / \ | | /hit\_no_| | \ ? / | \ / | |__yes_________________fastpath bypass ____________________________|
Example configuration:
table inet x { flowtable f { hook ingress priority 0; devices = { eth0, eth1 }; } chain y { type filter hook forward priority 0; policy accept; ip protocol tcp flow offload @f counter packets 0 bytes 0 } }
Example NAT
vyos@r14:~$ cat nat.nft flush ruleset table ip filter { flowtable fastnat { hook ingress priority filter devices = { eth0, eth1 } } chain forward { type filter hook forward priority filter; policy accept; ip protocol { tcp, udp } flow add @fastnat } } table ip nat { chain POSTROUTING { type nat hook postrouting priority srcnat; policy accept; ip saddr 192.0.2.0/24 oif "eth0" snat to 192.168.122.14 persistent } chain PREROUTING { type nat hook prerouting priority dstnat; policy accept; } }
https://www.kernel.org/doc/html/v5.10/networking/nf_flowtable.html
https://lwn.net/Articles/738214/
https://blog.fearcat.in/a?ID=01600-b829de09-5dee-4117-afb5-28b005e630a2