Why didn't iptables apply the sames rules?

Question

For some reason, my network encountered "Destination unreachable no route" error, this error happened periodicly, later I found that was a bug of my program.

But during that time, I found a werid problem: if I started a ping when network worked, then ping could work continuously even later the network had route problem. I use iptables trace and found those iptables rules were applied when the ping process were working:

raw:PREROUTING:policy:2
nat:PREROUTING:policy:1
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
nat:POSTROUTING:rule:1
nat:FABEDGE-NAT-OUTGOING:rule:2
nat:POSTROUTING:policy:2
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1

As you can see, when the first ICMP6 packet is handled, those rules are applied:

raw:PREROUTING:policy:2
nat:PREROUTING:policy:1
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
nat:POSTROUTING:rule:1
nat:FABEDGE-NAT-OUTGOING:rule:2
nat:POSTROUTING:policy:2

the following ICMP6 packets were handled with different rules:

raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1

It looks like all nat tables rules are skipped, I don't known why this happened. Shouldn't each ICMP6 packet go through the same rules?

I should metion that these packets will pass through a VPN tunnel created by a strongswan process which I don't think will affect the iptables.

These are my iptables rules:

ip6tables -t raw -S
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -s fd96:ee88:2:2::/64 -j TRACE

[root@edge1 ~]# ip6tables  -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FABEDGE-FORWARD
-A FORWARD -j FABEDGE-FORWARD
-A FABEDGE-FORWARD -s fd96:ee88:2:2::/64 -j ACCEPT
-A FABEDGE-FORWARD -d fd96:ee88:2:2::/64 -j ACCEPT

ip6tables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N FABEDGE-NAT-OUTGOING
-A POSTROUTING -j FABEDGE-NAT-OUTGOING
-A FABEDGE-NAT-OUTGOING -m set --match-set FABEDGE-LOOP-BACK6 dst,dst,src -j MASQUERADE
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -m set --match-set FABEDGE-PEER-CIDR6 dst -j RETURN
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -d fd96:ee88:2:2::/64 -j RETURN
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -j MASQUERADE

More detailed iptables trace:

[505397.327144] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327183] TRACE: nat:PREROUTING:policy:1 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327207] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327215] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327223] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327241] TRACE: nat:FABEDGE-NAT-OUTGOING:rule:2 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327246] TRACE: nat:POSTROUTING:policy:2 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505398.328257] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505398.328290] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505398.328299] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505399.329386] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505399.329431] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505399.329440] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505400.329280] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4
[505400.329315] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4
[505400.329324] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4

Answer 1

It seems nat rules are only applied on the initial packet acccording to this question: https://serverfault.com/questions/741104/iptables-redirect-works-only-for-first-packet

Here is another explaination:

The nat chain type allows you to perform NAT. This chain type comes with special semantics:

The first packet of a flow is used to look up for a matching rule which sets up the NAT binding for this flow. This also manipulates this first packet accordingly.

No rule lookup happens for follow up packets in the flow: the NAT engine uses the NAT binding information already set up by the first packet to perform the packet manipulation.