I think you are slightly overstating my stupidity. Off the top of my head there's only one other thread where I got confused between forwarded and outgoing messaging. And I would argue the other case was a little different.
Fair enough...to be honest, I was confused about this too when I first started with Linux firewalling (I also confused FORWARD firewalling with routing - especially since you can move packets in some instances).
No problems. That link (and other Linux manuals helped me with the concept for iptables and chaining).
When a packet comes in (say, through the Ethernet card) the kernel uses the input chain to decide its fate. If it survives that step, then the kernel decides where to send the packet next (this is called routing). If it is destined for another machine, it consults the forward chain. Finally, just before a packet is to go out, the kernel consults the output chain
So it seems I actually had the correct mental model. An incoming packet will go through the three chains. So a forwarded packet lan -> wan will indeed become an "output'ed" packet in the sense that it will have to go through the OUTPUT chain.
My earlier misunderstanding actually comes from the fact that I confused outgoing and "output'ed". A forwarded lan->wan packet goes through the OUTPUT chain, but the following rule
config rule 'dot'
option name 'Deny-DoT'
option dest 'wan'
option dest_port '853'
option proto 'tcp udp'
option target 'REJECT'
will not ever match such a packet because an absent src is equivalent to src_ip being set to the router's ip (i.e. outgoing traffic, as @trendy explained).
Feel free to correct any misunderstanding on my part.
I can see that there can be some confusion with the multiple tables and chains.
Whether a packet is dropped or accepted takes place in filter table. This tables has input, forward, and output chains. Input checks the packets destined for the device itself. Forward is checking the packets traversing the router. Output checks packets generated locally on the router. So for an incoming packet only input or forward will be examined, depending on the destination address of the packet. If the device wants to send a packet only the output will be used to examine it.
In the case of the nat table, then the prerouting chain will examine all incoming packets, regardless of their destination (the router or another device) and apply the changes on the packet, if any.