Is there a way to set up a stateless NAT that updates ICMP payloads i.e. destination-unreachable (type 3)? With the current rules I have (shown below) I am able to receive ICMP destination-unreachable packets but the payload is wrong causing them to be dropped by clients. This pretty much breaks traceroute on both sides. Internal to external: IPv4 Header - Src: 192.0.2.2, Dst: 100.64.1.105 ICMP Type 3 Payload - Src: 203.0.113.100, Dst: 192.0.2.2 External to internal: IPv4 Header - Src: 203.0.113.100, Dst: 203.0.113.200 ICMP Type 3 Payload - Src: 203.0.113.200, Dst: 100.64.1.105 table ip NAT { chain prerouting { type filter hook prerouting priority raw; policy accept; iif "eth0" ip daddr 203.0.113.100 ip daddr set 100.64.1.105 notrack return } chain postrouting { type filter hook postrouting priority raw; policy accept; oif "eth0" ip saddr 100.64.1.105 ip saddr set 203.0.113.100 notrack return } } As a side note, tc performs ICMP modifications (but doesn't meet my needs) which is why I'm thinking nftables should be able to do it as well. -- Thanks, Echo Nar