bin/39520: IPNAT fails to consistently handle FTP sessions

[peter%boku.net@localhost]

>Number:         39520
>Category:       bin
>Synopsis:       IPNAT fails to consistently handle FTP sessions
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 11 17:10:00 +0000 2008
>Originator:     Peter Eisch
>Release:        4.0.0_PATCH
>Organization:
>Environment:
NetBSD adder 4.0.0_PATCH NetBSD 4.0.0_PATCH (PETER-FW) #11: Mon May 26 18:12:05 
CDT 2008  
peter@buster:/builds/netbsd-4-0/i386/obj/builds/netbsd-4-0/src/sys/arch/i386/compile/PETER-FW
 i386

>Description:
Using rules:

map vlan150 from local/24 to remote/32 -> vlan150/32 proxy port ftp ftp/tcp
map vlan150 from local/24 to remote/32 -> vlan150/32 portmap tcp/udp 40000:60000
map vlan150 from local/24 to remote/32 -> vlan150/32

Where local is the local net, remote is the remote system and 'vlan150/32' is 
the IP address on vlan150.

(I can email specific traces and config, but it would be wrong to put the 
addresses in the public record.)

FTP sessions will occasionally fail when going through this interface.  The 
problem will be in the PORT command where it still has the local IP address 
instead of it being NAT'd to vlan150/32's address.

By occasionally I mean that it may work for a few sessions but inevitably it 
will fail all from the same host.  

I modified the rules to replace local/24 with the specific host, but it would 
still fail.
>How-To-Repeat:
Configure an overload NAT and FTP through it.

My kernel config includes:

include "arch/i386/conf/GENERIC.MP"
ipmi0          at mainbus?
options IPSTATE_SIZE=92111
options IPSTATE_MAX=64433
options NAT_SIZE=2047
options RDR_SIZE=2047
options HOSTMAP_SIZE=8191
options NAT_TABLE_MAX=180000
options NAT_TABLE_SZ=16383
options         GATEWAY
options         BRIDGE_IPF
...


>Fix:
none, yet