The motivation of it [flow table] was actually the realization that packets that go through connections that are in ESTABLISHED state always do the same thing, so what can be done is that if we put a flow table in the beginning, before we start the ingress processing, to check if the packets that were just received is part of an ESTABLISHED connection, then basically we can just do the packet manipulation that is required, such as NAT address rewrite, and TTL decrement, and then just forward the packet to the egress device. If we have this set up, we could basically bypass all the chains … bypass everything and go from ingress processing directly to the egress processing.
–- TC Connection tracking hardware offload, netdev 0x14