beware that NAT-type chains only see first packet of flows [0].
In the ruleset I see a rather complex mixture of hooks/priorities.
I would recommend to not use such a complex scheme unless you really
know what you are doing.
Better to simply configure a ruleset scheme similar to what is
included in iptables, using same hooks/priorities as described in the
docs [0].
We follow a different approach in nftables than in iptables. In
iptables, all comes pre-configured, which is easier
but may force you to have things you don't use. In nftables all is
open-configured, which could be a bit more complex
if you don't try to simplify.
[0]
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
Arturo, I'm aware of this, and I only used this complex scheme to find
out WHY and WHERE my packets are getting lost.
With the structure I chose I can be sure that no other hook is dropping
them.
Since neither iptables, nor nftables give any hint why they may be
DROPPED by the kernel at the routing decision I have to rely on
information from the community.
So where in the kernel does that routing decision after the PREROUTING
hooks happen?
rp_filters are disabled by the way.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
