FastNAT

Since you have the capability of looking at the actual packet traces, you decide to try a simple NAT in which all packets from net1 to host2 are NATed by router1 to 10.1.1.253. The ip utility allows you to perform a one-to-one NAT mapping which is called FastNAT in the kernel documentation. You decide to try out the FastNAT setup with ip. The command sequence you determine for the ip utility is as follows:

ip route add nat 10.1.1.253/32 via 192.168.1.1
ip rule add from 192.168.1.1/32 nat 10.1.1.253 prio 15000

Interactions between FastNAT and NetFilter

This consideration brings you to the question of the interactions between the FastNAT and the NetFilter NAT. From your studies on the packet pathing in Chapter 3, you assume that you could have FastNAT and NetFilter too. After all, FastNAT is implemented within the RPDB while NetFilter NAT is implemented at the PRE and POST ROUTING hook points.

Such a view does not consider the reality of the kernel packet processing functions. While ideally this would be a perfect complementary function set, the reality is that there are only a few places where the packet header may be manipulated by either system. In testing the various functions you note that so long as you do not load up the actual NetFilter Conntrack module, ip_conntrack, you can do FastNAT. As soon as you load the ip_conntrack module, FastNAT stops working even without any NetFilter rules defined. So it is the Connection Tracking part of NetFilter which precludes the use of FastNAT.

At least you understand now how each of these NAT mechanisms works and some of the uses and drawbacks of each. For granularity of NAT specification and flexibility of NAT structures you can use NetFilter. For speed, Policy Routing structures, and asymmetric routing you can use FastNAT. And you do note that by a simple addition of a Policy Routing system with FastNAT on the internal network you can perform whatever pure One-to-One NAT mechanisms you wish and pass those packets unmodified through the NetFilter box.

One other thought does strike you. When you consider the FastNAT structure you realize that in the case of only needing routing-based NAT you can use the NetFilter filter and mangle tools on the same box as a FastNAT, thus providing a way to select and filter NAT-destined packets. As a quick example you consider that by defining a packet filter on the PREROUTING hook that only allows packets destined to a certain port, you effectively allow for a FastNAT based on a single port. A whole realm of possibilities opens up for those scenarios.