NFTABLES: How to DNAT in POSTROUTING

Question

I have a problem setting up a DNAT in POSTROUTING (I really need it for a project).
In the beginning, I tried to set it using iptables with this command:
iptables -t nat -A POSTROUTING -p icmp -d 30.0.0.1 -j DNAT --to-destination 40.0.0.1 but iptables gave me this error iptables v1.8.7 (nf_tables): RULE_APPEND failed (Invalid argument): rule in chain POSTROUTING.
Then I read on the iptables man page that is not possible to do what I'm trying to do.
After that, I tried to do the same thing using nftables using those commands:
nft add table nat
nft 'add chain nat postrouting { type nat hook postrouting priority -100; }'
nft add rule nat postrouting oif wg-1to2 dnat to 40.0.0.1.
But nftables returned me this error Error: Could not process rule: Operation not supported. I don't think it is possible to set a POSTROUTING DNAT with nftables.
Am I wrong or a, I making some mistakes?
If it is not possible, why? Is it just something that is not implemented?
Are there are some technical problems that make it impossible to be implemented?
How would you solve this problem?
Thanks in advice

Answer 1

Francesco, to my understanding, you cannot do DNAT in POSTROUTING.

The reason is that in the (kernel) routing/forwarding code, several parameters get adjusted based on the destination contained in your packets (e.g., next hop, interface where this packet has to be sent from, MAC address to reach the next hop).

If you do DNAT, hence you change the destination address in your packet, the above parameters may become invalid, hence you may need to traverse the routing/forwarding code again. However, given the position of the POSTROUTING hook in the Linux kernel, this is no longer possible. For instance, SNAT is perfectly supported instead.

A possible solution to this problem is to write an eBPF program that does DNAT and adjusts the above parameters. Hope this helps.