Em dom., 20 de dez. de 2020 às 22:15, Florian Westphal <fw@xxxxxxxxx> escreveu: > > Rafael Ganascim <rganascim@xxxxxxxxx> wrote: > > As I understand it, when a connection is already established at > > conntrack, the packets use these entries to flow, do the translation, > > and don't go through the entire ruleset. Is this reading correct? > > They skip the NAT table/nat chains, but not the rest of the ruleset. > > > But what about the first connection packet that needs to be NATed? > > Suppose we have 1000 rules of SRC-NAT, are the first packets covered > > all of them until a match occurs? > > Yes. > > > Or is there a structure already > > "configured" where the IP can get its NAT IP quickly? > > No. > > > And for example, for 1:1 NAT, despite the number of rules, what's the > > difference between 256 rules of src-nat or just one using NETMAP > > None. Thanks Florian, And when we have more rules...? For example I have a LSNAT (CGNAT) box with ~12k rules in the NAT table (with jumps trying to limit the search range etc - it's working well). Using the NETMAP module I can translate those rules to a small set of them. Do we have performance improvements doing it?
