i'm working on a NAT server in pure XDP. but to have a robust nat functionality i wanted to track the connection (storing and fetching tracking data) and i was thinking about using the already exist netfilter conntrack data structure and functions to help with packet processing in XDP, i have some knowledge about nf_conntrack but i feel i miss something, i'm not sure exactly if i can just recieve the packet and check with netfilter conntrack if it's a new connection or not.
for example if it's a new connection :
i can just call a netfiler conntrack function which can make decision about what port i can assign as public source port and another info to a tuple.
and when the reply back i can check in nf conntrack that it's a reply and just update the packet info and pass to the internal network.
i got some inspiration from this repo : https://github.com/ti-mo/conntracct. but i see they doing only statistics, so here the packets go through the normal kernel stack.
i feel confused a little but if i managed to explain what i'm thinking about and you have a hint or a tip to direct me, i'd be grateful.
thanks.
The XDP program execution is one of the very first things that happens for received packets, so conntrack didn't occur yet at this point. There's also no BPF helper that implements the conntrack behavior out of the box.
If you want to track connections at the XDP hook, you'll have to implement your own conntrack logic in BPF. It's what Cilium does for example.