Have you ever have the doubt that what if both traffic filter and NAT are enabled on the interface, and the traffic match both of them, will the router forward it after NAT or just discard them?
As we know, when a packet arrives at the router, the packet has the following structure:
The router will check the MAC address in the layer 2 header, if the destination MAC address in the layer 2 header matchs the local MAC address, then, the router will remove the layer 2 header and hand the layer 2 payload which include layer 3 header and layer 3 payload to the network layer. If the destination MAC address doesn't match the local MAC address, router will drop the packet.
As the link-data layer did, router will check the IP address in the layer 3 header, if the destination IP address in the layer 3 header matchs the local IP address, router will remove the layer 3 header and hand the layer 3 payload to upper layer, if the IP address in layer 3 header doesn't match the local IP address, the router will check the FIB which is generated from the routing-table, if there isn't matching entry, the router will drop the packet, or it will send the packet as the matching entry described.
the two previous paragraphs describe the common IP unicast, what if we add traffic policy and NAT, how the router process the packet?
if the NAT and traffic policy are implemented, the router will check the traffic policy first, if the traffic is been redirected to other IP address, router will send it to the corresponding out interface. Or the router will check the FIB, and do the forwarding. Since the NAT has been implemented, the router will do the NAT before forward the packet out of the router.
As previous described, we can know the packet will be forwarded as the order which the below picture shows:
