CONCEPT Cited by 1 source

Stateless NAT via eBPF

Stateless NAT via eBPF replaces Linux's stateful iptables + conntrack NAT with an eBPF program that mangles packet headers based on a predetermined mapping, without allocating connection state.

The key word is predetermined: the mapping from inside-address to outside-address is known ahead of time (at slot-assignment time, DHCP-lease time, or namespace-setup time) — not discovered as flows arrive. Because the mapping is fixed, no per-flow state table needs to be maintained.

Why stateful NAT is load-bearing elsewhere

Classical NAT (home router masquerade, carrier-grade NAT) is stateful because:

1. The inside-set is dynamic — clients arrive and leave.
2. Outside port assignments must be unique per concurrent flow.
3. Return-path demultiplexing needs per-flow memory to invert the translation.

Linux implements this via conntrack, a per-flow state table. Each packet on an active flow costs a lookup + possibly a table update.

When stateless NAT works

• The inside-set is enumerable and bounded (e.g., a cloud substrate knows exactly which micro-VMs exist per host).
• Mappings can be precomputed and loaded into an eBPF map before traffic arrives.
• The control plane owns the mapping assignment (no on-the-fly port allocation).

AWS Lambda's setup fits all three: a worker knows up front which 4,000 VM slots exist and which internal addresses map to which external addresses. See concepts/double-nat.

What eBPF gives you

• No conntrack allocation — eliminates the conntrack-table bottleneck that scales poorly with concurrent flows.
• Header rewrite is O(1) per packet — a few eBPF map lookups and field overwrites.
• Runs in kernel context but loadable from user-space — no kernel module to build and maintain. See patterns/upstream-the-fix for the upstream-vs-fork decision framing.
• Can be attached at multiple hook points (TC ingress/egress, XDP) — flexibility the Lambda post doesn't fully disclose but is implicit.

AWS Lambda's result

Replacing stateful NAT with stateless-eBPF packet mangling dropped NAT setup latency by 100× at multi-thousand-micro-VM density. (Source: sources/2026-04-22-allthingsdistributed-invisible-engineering-behind-lambdas-network.)

Related wiki patterns

• patterns/ebpf-header-rewrite-on-egress — the closely related Geneve-VNI-rewrite case; both are instances of "use eBPF to rewrite packet fields based on an ahead-of-time-known mapping."
• concepts/double-nat — the pre-fix pathology.

Seen in

• sources/2026-04-22-allthingsdistributed-invisible-engineering-behind-lambdas-network — canonical wiki disclosure of Lambda's stateful-NAT → stateless-eBPF replacement.