Where the de-SNAT actually takes place?

Hi
I've been reading a bit about packet traversal in the linux kernel but
apparently my linux box doesn't like theory very much ;-)
My config:
linux-2.6.14.2 with imq patch
eth0 - iface where two inet connections are attached
eth1 - server
eth2 - LAN
There is SNAT involved on one net connection. The other conn is for
servers, and there is proxy-arp active (at eth0 and eth1).

I type:
iptables -t nat -A PREROUTING -i eth0 -j LOG
And after that, dmesg shows something like that:
17:08:53 IN=eth0 OUT= SRC=some_remote_IP DST=IP_of_the_linux_box

Shouldn't be there DST=10.0.0.5 for example (ie. de-SNATed)?

I've found that on google:
http://lists.netfilter.org/pipermail...ly/045355.html
And that suggest that in my kernelversion this is implemented in
different way.

And all that I want to do is ingress queuing using IMQ. I want to fwmark
packets according to their de-SNATed destination adress (and some other
things also), and then put them into the IMQ ingress queue.
I could use the packet matching available in the ingress queue itself
(by ip tool), but I don't know if the packets that go into IMQ are
de-SNATed or not.

So, where the de-SNAT actually takes place?
(on this diagram preferably: http://www.docum.org/docum.org/kptd/)

--
mati