Sorry for my last post which had unwrapped lines, so I am resending it
with a better formatting now:

Hi all,

Is there a userspace facility on NetBSD which allows a TCP proxy daemon to
spoof the source address for the life of a TCP connection to that of the
actual internet client when connecting from a gateway to an internal
service? This way the internal machine would see the connection as
originating from the client rather than from the proxy gateway.

I have looked into ipnat, but this would not seem to solve the issue at
hand, I previously wrote an FTP passive proxy (mmtcpfwd) which requires
this feature, it currently works on Linux but I would like to port it to
NetBSD...

A possibly viable method seems to be running part of the system as uid 0
so that interaction with the kernel would occur frequently to forward
ports, using the same techniques which ipnat and/or ipf are using... Is
there any other known solution?

Matt