Re: Stateless NAT in nftables with maps for performance

[Florian Westphal <fw@strlen.de>]

Juan Carlos Lazcano <juan@placidnetworks.com> wrote:
> Hi netfilter community!
> I'm trying to orchestrate the generation and maintenance of thousands of dnat & snat rules in a stateless configuration within the prerouting and forward hooks with chain types of filter, and unfortunately am hitting a big performance barrier as a result.  Its fine with a few thousand, but once we get into the tens of thousands of rules, things start slowing down linearly, which is why we would like to switch to maps.  However, I cannot figure out 1) if maps are supported in filter chains within prerouting/forward hooks and 2) if it supports the syntax for stateless nat?
> 
> For example:
> 
> table ip mytable {
> 	map dnat_map {
> 		type ipv4_addr : ipv4_addr
> 	}
> 	chain dnat {
> 		type filter hook prerouting priority raw; policy accept;
> 	}
> }
> 
> I normally generate stateless dnat's via:
> 
> $ nft add rule ip mytable dnat ip daddr 100.101.84.137 counter ip daddr set 10.11.1.32 notrack comment "comment 1"
> 
> But, lets say I want to try to replace this rule with a map.  If i populate my map with a a key pair like:
> 
> $ nft add element ip mytable dnat_map { 100.101.84.137 : 10.11.33.32 }
> 
> How can I represent my original rule using a map?

ip daddr set ip daddr map @dnat_map
~~~~~~~~     #######
   |           \ The key to query the map for
   |
   \ What you want replaced

This rule is:
  [ payload load 4b @ network header + 16 => reg 1 ] # loads the key (second ip daddr).
  [ lookup reg 1 set dnat_map dreg 1 0x0 ]           # queries map
  [ payload write reg 1 => 4b @ network header + 16 csum_type 1 csum_off 10 csum_flags 0x1 ]
  # Then places the result of the map at the location (first ip daddr).