I'm experimenting with this module on a server that has only one public IPv4 address, which I'd like to use for clients behind the NAT server, as well as allowing the NAT server to access the Internet directly using the same IP used by nat_pool.

From what I can tell, the destination NAT (--dnat) prerouting rule always intercepts the packet and it doesn't seem to pass through correctly unless a valid session exists. The session is created when a packet enters the source NAT (--snat), however, since packets in question are originating on the NAT server itself, the PREROUTING/FORWARD/POSTROUTING chains don't seem to be usable.

Waiting to call skb_reset_transport_header until after the session is found seemed to do the trick, but I'm not quite sure what the implications are with this approach. Does that seem sensible or is there an easier/cleaner/better way to accomplish my goal? (Here's the change I made: Stanback@afa5698)