How nftables make router decision about packet directed to input or forward chains? Please see my example We have router with nftables, private host and public host that redirect traffic to private host through tunnel Private host Router Public host [LAN 192.168.40.12] (5)=> [WAN 95.0.0.1] (1)=> [WAN 96.0.0.1] (2)=! |<=(4) [Tunnel 192.168.40.1] <=(3) [Tunnel 192.168.40.2] <=! If i try to connect from private network to public host connection fails On step (5) when private host send answers back to 95.0.0.1, nftables on router put packets in input chain but not forwarding chain. This behaviour apears regardless any packet marks. How i can change this behavior? May be some options on raw, mangle or other chains that overrides routing decision and put packet directly in forward chain? By steps: 0. From other host in lan query 96.0.0.1, http get for example 1. Router make masq or snat. Src ip 95.0.0.1, Dst ip 96.0.0.1 2. Public host makes dnat, Src ip 95.0.0.1, Dst ip 192.168.40.12. 3. Packet sent via tunnel. 4. Router forward packet to 192.168.40.12 (net.ipv4.conf.tnl.accept_local must be 1). Src ip 95.0.0.1, Dst ip 192.168.40.12. 5. Private host receive packet and send response. Src 192.168.40.12, Dst ip 95.0.0.1 6. Nftables on router receive packet with Dst ip 95.0.0.1 and put it on input chain. Initial host on step 0 never get response. Best Regards Krey
