If someone who knows ipf/ipnat has a minute, I'm trying to set up
something a bit unusual, and I'm wondering if I have to hack in some
special-case code for it or if this is something ipnat can handle.

Most briefly, in pseudo-rules, what I want is

rewrite in on ppp0 dst=132.206.78.38 dstport=57575 -> dst=132.206.78.1 dstport=7575
rewrite out on ppp0 src=132.206.78.1 srcport=7575 -> src=132.206.78.38 srcport=57575

(Alternatively, those could be "out on le0" and/or "in on le0"
respectively; le0 and ppp0 are the only two interfaces that matter.)

In more detail....

I have a home LAN with four bits' worth of address space:
132.206.78.0/255.255.255.216 (the noncontiguous netmask is largely for
historical reasons, and I'm likely to move relatively soon to other
address space, where I'll have a contiguous /28).  My netlink used to
be a serial line, with custom code on each end to encapsulate IP
packets over it (for a variety of reasons, mostly historical by now, it
wasn't using vanilla SLIP or PPP).

But I've now got a DSL line.  Problem is, it gives me only one address,
and it's dynamic.  Fortunately, the place that owns the address space
is friendly, and there's a NetBSD machine there with my home address
space routed to it.  I've added code there and on a gateway machine at
home to tunnel my packets through the DSL link, and this code works
well (performance is much improved as compared to the serial line).

Now, one of the things in the serial line netlink was code to rewrite a
particular address/port to another address/port.  This is because I
have a mud running on 132.206.78.1, on ports 5757 and 7575.  But we
heard of cases where people could telnet but couldn't specify arbitrary
port numbers.  So I made the mud listen on port 57575 as well, then
added code to the serial-line encapsulation so that incoming packets to
132.206.78.38 port 23 (telnet) get rewritten to 132.206.78.1 port
57575, with the converse rewrite for outgoing packets.  (Of course,
attempts from the world-at-large to connect to 132.206.78.1 port 57575
will not work, since the return packets will get rewritten; this is why
I used a third port.)

Now I want a similar rewriting effect for the DSL link.  I could, I
suppose, hack some special-case code into the kernel of the gateway box
(which is dedicated to the purpose), but I'd rather not.  I was
considering alternatives and it occurred to me that the NAT code may be
able to do this.

So I went and read manpages and examples and it's not clear whether
this is possible.  The rdr keyword is mentioned in the grammar in
ipnat(5) but seems to be otherwise undocumented; the "mediaone" example
in /usr/share/examples/ipf looks promising but makes me suspect it
can't be as specific as I need in choosing what packets to rewrite.

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B