Can i Frame in Bronze this tidbit of excellence…
“The fact that srcnat chain cannot refer to in-interface (and dst-nat cannot refer to out-interface) is just a feature of netfilter so no front-end cannot do anything about it. You can work this around by assigning a connection-mark to the connection in prerouting chain of mangle table (where the in-interface can be referred to) and then refer to that connection-mark in src-nat rule in the srcnat chain of the nat table.”
Now I have to figure out why would want to do such a thing.
Because you may e.g. feel an urgent need to the src-nat connections coming in via one in-interface to one src-address (pool) and connections coming in via another in-interface to another src-address (pool). But I agree that such need is rare.
I never understood this limitation. If I’d want to use out-interface in prerouting/dstnat, it’s obviously not possible, because it’s not yet decided where packet will go. But in-interface in postrouting/srcnat, why not? Did connection tracking already forgot where packet came from? It knew it just a moment before in forward chain.