And if you process the packet by forcing it thru the the netfilter anyways (i.e. CPUs)....on "the trusted side" - I don't see the reasoning for processing it RAW in the first place.
See location of RAW in image "Flow of network packets through Netfilter with legacy iptables packet filtering".
EDIT - e.g. I RAW ACCEPT traffic from an ipset for traffic that will be filtered at Layer 3 inside the tunnel anyways.
I don't follow you.
This will log the raw accepted on prerouting. iptables -t raw -A PREROUTING -j LOG --log-prefix "raw accept"
If that's not what you meant, then we are drifting offtopic and maybe we should discuss it elsewhere.
Perhaps so, and I will research and test (again)...I didn't know I could simply place a RAW rule (that in essence "disappears" without tracking) above another RAW rule.