SNAT, Use alternative forwarding path via nftables flowtable (fastpath bypass)
```
userspace process
^ |
| |
_____|____ ____\/___
/ \ / \
| input | | output |
\__________/ \_________/
^ |
| |
_________ __________ --------- _____\/_____
/ \ / \ |Routing | / \
--> ingress ---> prerouting ---> |decision| | postrouting |--> neigh_xmit
\_________/ \__________/ ---------- \____________/ ^
| ^ | ^ |
flowtable | ____\/___ | |
| | / \ | |
__\/___ | | forward |------------ |
|-----| | \_________/ |
|-----| | 'flow offload' rule |
|-----| | adds entry to |
|_____| | flowtable |
| | |
/ \ | |
/hit\_no_| |
\ ? / |
\ / |
|__yes_________________fastpath bypass ____________________________|
```
Example configuration:
```
table inet x {
flowtable f {
hook ingress priority 0; devices = { eth0, eth1 };
}
chain y {
type filter hook forward priority 0; policy accept;
ip protocol tcp flow offload @f
counter packets 0 bytes 0
}
}
```
Example NAT
```
vyos@r14:~$ cat nat.nft
flush ruleset
table ip filter {
flowtable fastnat {
hook ingress priority filter
devices = { eth0, eth1 }
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp, udp } flow add @fastnat
}
}
table ip nat {
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.0.2.0/24 oif "eth0" snat to 192.168.122.14 persistent
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
}
```
https://www.kernel.org/doc/html/v5.10/networking/nf_flowtable.html
https://lwn.net/Articles/738214/