Ok, it turns out the documentation is a tiny bit misleading. While it says, "No rule lookup happens for follow-up packets in the flow", it means that subsequent processing rules do not apply.

Adding a filtering chain at raw priority can still drop packets from an active NAT flow.

While I'm still very interested in understanding how to model this stateless, adding filter rules in a prerouting filter chain with priority raw works.

Ok, it turns out the documentation is a tiny bit misleading. While it says, "No rule lookup happens for follow-up packets in the flow", it means that subsequent processing rules do not apply.

Adding a filtering chain at raw priority can still drop packets from an active NAT flow. The same goes for filtering in forward hooks (with changed dest ports, addresses etc).

While I'm still very interested in understanding how to model this stateless, adding filter rules in a prerouting filter chain with priority raw works.

Ok, turns out the documentation is a tiny bit misleading. While it says "No rule lookup happens for follow up packets in the flow" it really means that subsequent processing rules do not apply.

When adding a filtering chain at raw priority this can still drop packets from an active NAT flow.

While I'm still very interested in understanding how to model this stateless, adding filter rules in a prerouting filter chain with priority raw works.

Ok, it turns out the documentation is a tiny bit misleading. While it says, "No rule lookup happens for follow-up packets in the flow", it means that subsequent processing rules do not apply.

Adding a filtering chain at raw priority can still drop packets from an active NAT flow.

While I'm still very interested in understanding how to model this stateless, adding filter rules in a prerouting filter chain with priority raw works.