Hello, I was addressing kubernetes hairpin case when a container connects to itself via exposed service. Example pod with ip 1.1.1.1 listening on port tcp 8080 and exposed via service 2.2.2.2:8080, if curl is run from inside the pod, like curl http://2.2.2.2:8080 then the packet would be first dnat to 1.1.1.1:8080 and then its source needs to be masqueraded. In iptables implementation it seems it is automatically masqueraded to host's IP whereas in nftables (all rules are equivalent) source gets masqueraded into POD's interface. I would appreciate if somebody could confirm this behavior and different in masquerading between iptables and nftables for containers. Thank you Serguei
