Rafael Ganascim <rganascim@xxxxxxxxx> wrote: > As I understand it, when a connection is already established at > conntrack, the packets use these entries to flow, do the translation, > and don't go through the entire ruleset. Is this reading correct? They skip the NAT table/nat chains, but not the rest of the ruleset. > But what about the first connection packet that needs to be NATed? > Suppose we have 1000 rules of SRC-NAT, are the first packets covered > all of them until a match occurs? Yes. > Or is there a structure already > "configured" where the IP can get its NAT IP quickly? No. > And for example, for 1:1 NAT, despite the number of rules, what's the > difference between 256 rules of src-nat or just one using NETMAP None.
