i've noticed packets belonging to an established/assured tcp or udp connection will cease matching rules in the built-in forwarding chain over time. i'm not actually sure if it's a function of time or number of packets. the maximum number of matches i've seen for a single connection is 65. this indicates to me that only the first 65 packets pass through the chain. i realize that only the first packet is passed through the nat table but i was under the impression that every subsequent packet exchanged has to pass through the filter table. is this a bug or is it something i don't understand about netfilters??
