We are developing our own kernel module that does advanced source nat in netfilter prerouting hook. After upgrading from Linux kernel 2.6.32 (Ubuntu 10.04) to 2.6.35 (Ubuntu 10.04 lucid-back-ports) it seems that SNATted packets are simply dropped inside the Linux kernel.
I know that SNAT was never advised to be done in Prerouting hooks for general usage (Netfilter mailing list), but there are still some reasons why we would prefer to do source natting before the actual routing decision is made.
Has anyone experience of developing kernel modules that do SNAT in netfilter prerouting hook for 2.6.35+ linux kernel? What exactly should be changed in linux-kernel/netfilter-kernel-module code so that SNATted packets would not be dropped? Maybe SNAT in prerouting is simply a bad idea for 2.6.35+ Linux kernel and we should better use nf_marks for routing decision and do the SNAT in postrouting?
I am using Ubunut 10.04 with back-ported Linux kernel (2.6.35) on X86_64.
