On Sat, Dec 5, 2015 at 2:13 AM, Pascal Hambourg <pascal@xxxxxxxxxxxxxxx> wrote: > It's not handled specially /per se/. > It's a side effect of how conntrack and NAT work. The conntrack confirm > takes place at the end of POSTROUTING, and no new NAT rule can be > applied on a confirmed connection. > > The same applies to packets belonging to an established connection : > they all skip the nat chains. That makes sense (assuming PREROUTING above). Thanks, this seems way less arbitrary. > The special thing in the loopback path is that there is no need for an > input routing decision after PREROUTING. So, what would happen if you > could actually DNAT the packet ? I would like to change its destination, then have the routing decision after PREROUTING send the packet somewhere else. Just because it arrived local doesn't mean I want it to stay local! But that's no big deal. I'm making the PREROUTING+OUTPUT chain modifications now, everything looks OK to me. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
