What is the efficiency of rule search for VyOS’ SNAT rules for outbound connections?
For a concrete example:
Server “wants” to originate a TCP connection from the public IP 200.3.22.33, to remote address 100.110.120.130
However, the server only has private IP addresses, and is configured to route all outgoing connections through the VyOS box on its own private IP 10.255.1.12.
Further, the server “knows” to originate its outbound connection from one of its private IP addresses, 10.252.22.33, and is “aware” that among the VyOS router’s numerous SNAT rules, there is a rule that translates that source address to the desired public outbound IP of 200.3.22.33.
For the rule search in VyOS which implements this, is the SNAT rule search linear? In other words, O(n)
where n is the number of rules?
Or does VyOS’ rule search for SNAT matching have optimisations that greatly cut down on this burden?
Thanks for any pointers, links or helpful opinions on this.
Hi @davidmcnabnz .
Once rules are loaded into Netfilter, they are processed in order, in every stage. So for example if you have many source nat rules, you should try to add most matched rule first (if possible).
Source nat is done at NAT-Postrouting stage, which is almost at the end of the packet flow. This means that before making source nat decision / action, packet was processed in previous stages, such as Filter-Forward/Input (vyos firewall rules), Mangle-Prerouting (vyos policy routes), etc,
Hope this makes it a little bit clear on the cost of nat operation, and how packets are processed while passing through the router/firewall
I doubt reordering NAT rule will give any usable gain in efficiency.
Only the first packet of a new connection will walk the nat rule set. All subsequent packets will just re-use the existing conntrack NAT entry
