Question: SNAT rule search efficiency

Hi all,

What is the efficiency of rule search for VyOS’ SNAT rules for outbound connections?

For a concrete example:

Server “wants” to originate a TCP connection from the public IP, to remote address

However, the server only has private IP addresses, and is configured to route all outgoing connections through the VyOS box on its own private IP

Further, the server “knows” to originate its outbound connection from one of its private IP addresses,, and is “aware” that among the VyOS router’s numerous SNAT rules, there is a rule that translates that source address to the desired public outbound IP of

For the rule search in VyOS which implements this, is the SNAT rule search linear? In other words, O(n)
where n is the number of rules?

Or does VyOS’ rule search for SNAT matching have optimisations that greatly cut down on this burden?

Thanks for any pointers, links or helpful opinions on this.


Hi, @davidmcnabnz please read the VyOS documentation about NAT if you have not read it yet. You may find answers to your questions. I will drop the link below

Hi @davidmcnabnz .
Once rules are loaded into Netfilter, they are processed in order, in every stage. So for example if you have many source nat rules, you should try to add most matched rule first (if possible).

As said, rules are processed in order in every stage. Check Netfilter packet flow in order to have an idea on all the process done

Source nat is done at NAT-Postrouting stage, which is almost at the end of the packet flow. This means that before making source nat decision / action, packet was processed in previous stages, such as Filter-Forward/Input (vyos firewall rules), Mangle-Prerouting (vyos policy routes), etc,

Hope this makes it a little bit clear on the cost of nat operation, and how packets are processed while passing through the router/firewall

I doubt reordering NAT rule will give any usable gain in efficiency.
Only the first packet of a new connection will walk the nat rule set. All subsequent packets will just re-use the existing conntrack NAT entry