> > > But at this time I don't want to spend time on enabling such hacks > > (lo-to-remote-dst-nat) unless there is a good use case for it. > > I am not familiar with this use-case. only one use case in kubernetes and one we were trying to avoid to the point we removed the functionality in the new implementation of kube-proxy with nftables, but since it came back recently I just considered it worth to ask. I will try to expose the use case simplifying some of the technical details, container runtimes need to pull images from registries (think of it as a webserver to serve container images). For efficiency and to reduce network traffic, it's common to run a local registry mirror or cache. Localhost is a simple and reliable target for the container runtime that pulls the images, and by convention they treat localhost registries as "secure" by default, meaning they don't require a valid TLS certificate setup. Kubernetes has a networking option to forward a specific port in a node to a virtual ip with a set of endpoints, and people were using this functionality to implement the local cache mechanism ... So personally I do not feel this is a good use case for netfilter to implement something new based on it
