>I have a bit of a problem with NAT and ICMP and haven't been able to
>find the answer in the ipfilter documentation. I hope you can give me
>a hint whether and how this can be fixed. I have the following setup:
>
>client <=> gif tunnel MTU=1280 <==> NAT <==> Outside world
>
>Problem is that TCP connections to servers using PMTU discovery faisl
>as the internal IP-addresses in ICMP messages do not get translated.
>The NAT machine sends out ICMP mesgs like:
>
>17:35:40.185184 129.242.16.119 > 193.166.3.2: icmp: 10.1.1.2 unreachable - need to frag (mtu 1280) (ttl 255, id 35140)
>
>Rewriting these addrs in ICMP msg is maybe not perfectly correct, but
>it would make my setup work. So, I'd like to know whether there's some
>rule I can add for this.

	NAT = ipnat (in ipfilter)?
	then, this should be the same problem as PR 10993.  not sure
	if recent ipfilter corrects it or not.
	http://www.NetBSD.org/cgi-bin/query-pr-single.pl?number=10993

itojun