It isnt a bug. The order of the firewall is
Input rule
Masquerading and Forwarding Rule
Output rule
Thats precisely defined.
What is less than perfectly defined in 2.0.x and depends on timing issues
it shouldnt is "what does tcpdump on the box doing the forwarding see". To
get an honest answer look from the outside or use skb_copy not skb_clone
for dumped packets - thats a lot slower but correct. 2.1.x does the
right thing but its not trivial and therefore "safe" to backport.
Note btw that diald doesnt exactly fit the pattern either as it snoops in
different ways on active and inactive links.
Alan