beware that NAT-type chains only see first packet of flows [0].
In the ruleset I see a rather complex mixture of hooks/priorities.
I would recommend to not use such a complex scheme unless you really
know what you are doing.
Better to simply configure a ruleset scheme similar to what is
included in iptables, using same hooks/priorities as described in the
docs [0].
We follow a different approach in nftables than in iptables. In
iptables, all comes pre-configured, which is easier
but may force you to have things you don't use. In nftables all is
open-configured, which could be a bit more complex
if you don't try to simplify.
[0]
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
Actually, I figured it out just now, the src ip of the packet is defined
on one of the interfaces.
That's why the kernel is dropping the packet.
Is there some flag to stop it from doing that?
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
