The iptables MASQUERADE NAT rule is not being applied to packets that have come from a TAP interface.
I have an application tied to two TAP interfaces that is used for some packet manipulation during routing.
I am using iptables to apply a netfilter mark to packets received on one of two physical interfaces and ip rules to route the packets into one of my TAP interfaces. When the packet comes out my application it goes back into the main routing table and out the appropriate physical interface.
I have a MASQUERADE NAT rule on one of the two physical interfaces, but when the packet is transmitted the NAT is not applied. I think this is because it has already passed through iptables already.
Can you mark a packet as "new" in iptables so it traverses the full iptables chains a second time?