Hello again,
> Given the ruleset you have shown TCP
> should "fail" too.
added a counter to "meta mark and $mark_portforward != 0 return", indeed
only the first packet gets counted.
Thank you very much for pointing that out.
The normal way to accept packets from a nat'ed connection is something
like 'ct status dnat accept'
"ct state dnat accept" leads me to this bug.
http://lists.netfilter.org/pipermail/netfilter-buglog/2016-March/003393.html
I don't know why it works for tcp, then.. Providing the full ruleset
isn't possible at the moment unfortunately. I'll try to provide a
minimal working example.
Best,
Philip
