IPF 4.1.16 - Slow NAT/FTP mix-up

["Corey Johnston" <coreyj@gmail.com>]

(... last email was prematurely sent.. apologies for the apparent double post)

I've got an unusal problem with IPF 4.1.16, which I've hinted at in a few recent posts.
I've applied the latest patch, which now allows ipnat table to be displayed, which is great, but the problem still exists.

ipnat is running extremely slowly, where IPF is acting as a
simple router, and NAT'ing private addresses into a single public
address.

When I say slowly, connections seem to initiate slowly, but once established, when they're running, they run at full speed.
For example, a single HTTP download of a large file (100Mb) downloads at full-speed on a 24MBit ADSL connection.
It's just that browsing the webpages is really painful; bits of
pages load, but then there are severe delays before the rest loads.

I originally thought that this was an OS tuning issue, but I no longer think it is. 
When the router isn't natting, it seems to run at full-speed, passing packets from one interface to the other.
But when NAT comes into the mix, these slow-downs come into play.

I
also noticed when doing this that some non-ftp outbound NAT sessions appear
to be identified as ftp, and I'm guessing are being filtered through
the ftp proxy.
(Either that, or I'm misreading the output of ipnat -sl)

That is, since clearing the state/nat tables, I haven't used any
FTP sites, but some entries in the NAT table are being incorrectly identified as
ftp.
(Am wondering if they are being processed by the FTP nat proxy, hence contributing to the slows.)

[admin@myfirewall]$ sudo ipnat -CF -f /etc/ipnat.conf
[admin@myfirewall]$ sudo ipnat -sl
mapped  in      9716    out     8912
added   444     expired 0
no memory       0       bad nat 0
inuse   57
rules   10
wilds   0
List of active MAP/Redirect filters:
map bge1 from 10.0.0.0/8 to any -> 
0.0.0.0/32 proxy port ftp ftp/tcp
map bge1 from 10.0.0.0/8 to any -> 0.0.0.0/32 portmap tcp/udp auto
map bge1 from 
10.0.0.0/8 to any -> 0.0.0.0/32
map nge1 from 10.0.0.0/8 to any -> 0.0.0.0/32 proxy port ftp ftp/tcp
map nge1 from 
10.0.0.0/8 to any -> 0.0.0.0/32 portmap tcp/udp auto
map nge1 from 10.0.0.0/8 to any -> 
0.0.0.0/32

List of active sessions:
MAP 10.5.0.115      2134  <- -> my-public-ip   2134  [216.239.63.19 80]
MAP 
10.5.0.115      2132  <- -> my-public-ip   2132  [216.239.63.19 80]
MAP 10.5.0.115      2130  <- -> my-public-ip   2130  [
216.239.63.189 80]
MAP 10.5.0.115      2128  <- -> my-public-ip   2128  [198.142.23.80 80]
MAP 10.5.0.115      2126  <- -> my-public-ip   2126  [
198.142.23.80 80]
MAP 10.5.0.115      2124  <- -> my-public-ip   2124  [216.239.63.19 80]
MAP 
10.5.0.115      2122  <- -> my-public-ip   2122  [216.239.63.19 80]
MAP 10.5.0.115      2120  <- -> my-public-ip   2120  [
65.169.109.35 80]
MAP 10.5.0.115      2118  <- -> my-public-ip   2118  [216.239.63.19 80]
MAP 10.5.0.115      2116  <- -> my-public-ip   2116  [
210.8.175.222 80]
MAP 10.5.0.115      2114  <- -> my-public-ip   2114  [198.142.23.78 80]
MAP 
10.5.0.115      2112  <- -> my-public-ip   2112  [144.135.8.151 80]
MAP 10.5.0.115      2111  <- -> my-public-ip   2111  [
144.135.8.151 80]
MAP 10.5.0.115      2108  <- -> my-public-ip   2108  [128.242.107.117 80]
MAP 10.5.0.115
      2107  <- -> my-public-ip   2107  [128.242.107.117 80]
MAP 10.5.0.115      2104  <- -> my-public-ip   2104  [
65.169.109.35 80]
MAP 10.5.0.115      2102  <- -> my-public-ip   2102  [216.74.132.11 80]
MAP 10.5.0.115      2100  <- -> my-public-ip   2100  [
65.214.39.190 80]
MAP 10.5.0.115      2098  <- -> my-public-ip   2098  [198.142.23.80 80]
MAP 
10.5.0.115      2096  <- -> my-public-ip   2096  [144.135.8.193 80]
MAP 10.5.0.115      2094  <- -> my-public-ip   2094  [
209.50.189.200 80]
MAP 10.5.0.115      1858  <- -> my-public-ip   1858  [216.239.63.19 80]
        proxy ftp/6 use -413 flags 0
                proto 6 flags 0 bytes 0 pkts 0 data YES size 344
        FTP Proxy:
                passok: 1
        Client:
                seq 0 (ack 0) len 0 junk 0 cmds 0
                buf [\000]
        Server:
                seq 9226568 (ack 0) len 0 junk 0 cmds 0
                buf [\000]
MAP 10.5.0.115      2092  <- -> my-public-ip   2092  [216.239.63.19 80]
MAP 10.5.0.115
      2090  <- -> my-public-ip   2090  [144.135.8.193 80]
MAP 10.5.0.115      2088  <- -> my-public-ip   2088  [
144.135.8.153 80]
MAP 10.5.0.115      2086  <- -> my-public-ip   2086  [198.142.23.80 80]
MAP 10.5.0.115      2084  <- -> my-public-ip   2084  [
198.142.23.78 80]
MAP 10.5.0.115      2082  <- -> my-public-ip   2082  [64.158.223.128 80]
MAP 
10.5.0.115      2080  <- -> my-public-ip   2080  [210.8.175.222 80]
MAP 10.5.0.115      2078  <- -> my-public-ip   2078  [
72.21.203.1 80]
MAP 10.5.0.115      2076  <- -> my-public-ip   2076  [65.54.157.252 80]
MAP 10.5.0.115      2074  <- -> my-public-ip   2074  [
216.74.132.11 80]
MAP 10.5.0.115      2072  <- -> my-public-ip   2072  [198.142.23.78 80]
MAP 
10.5.0.115      2071  <- -> my-public-ip   2071  [198.142.23.80 80]
MAP 10.5.0.115      2068  <- -> my-public-ip   2068  [
207.68.172.236 80]
MAP 10.5.0.115      2066  <- -> my-public-ip   2066  [128.241.21.149 80]
MAP 10.5.0.115
      2064  <- -> my-public-ip   2064  [207.46.216.62 80]
MAP 10.5.0.115      2062  <- -> my-public-ip   2062  [
207.46.150.50 80]
MAP 10.5.0.115      2060  <- -> my-public-ip   2060  [207.46.150.50 80]
MAP 10.5.0.115      1807  <- -> my-public-ip   1807  [
216.239.63.19 80]
        proxy ftp/6 use -413 flags 0
                proto 6 flags 0 bytes 0 pkts 0 data YES size 344
        FTP Proxy:
                passok: 1
        Client:
                seq 0 (ack 0) len 0 junk 0 cmds 0
                buf [\000]
        Server:
                seq 74a8615d (ack 0) len 0 junk 0 cmds 0
                buf [\000]
MAP 
10.5.0.115      2058  <- -> my-public-ip   2058  [207.68.179.219 80]
MAP 10.5.0.115      2056  <- -> my-public-ip   2056  [
216.73.86.91 80]
MAP 10.5.0.115      2054  <- -> my-public-ip   2054  [65.205.8.52 80]
MAP 10.5.0.115      2052  <- -> my-public-ip   2052  [
210.8.118.61 80]
MAP 10.5.0.115      2050  <- -> my-public-ip   2050  [207.68.178.239 80]
MAP 
10.5.0.115      2048  <- -> my-public-ip   2048  [65.54.195.185 80]
MAP 10.5.0.115      2046  <- -> my-public-ip   2046  [
210.8.175.253 80]
MAP 10.5.0.115      2044  <- -> my-public-ip   2044  [65.54.195.185 80]
MAP 10.5.0.115      2042  <- -> my-public-ip   2042  [
65.54.195.185 80]
MAP 10.5.0.115      2040  <- -> my-public-ip   2040  [210.8.175.253 80]
MAP 
10.5.0.115      2039  <- -> my-public-ip   2039  [210.8.175.222 80]
MAP 10.5.0.115      2036  <- -> my-public-ip   2036  [
210.8.175.253 80]
MAP 10.5.0.115      2034  <- -> my-public-ip   2034  [210.8.175.222 80]
MAP 10.5.0.115      2032  <- -> my-public-ip   2032  [
66.151.152.125 80]
MAP 10.5.0.115      2030  <- -> my-public-ip   2030  [65.54.195.185 80]
MAP 
10.5.0.115      2028  <- -> my-public-ip   2028  [207.46.216.62 80]
MAP 10.5.0.115      2026  <- -> my-public-ip   2026  [
210.8.175.222 80]




For example, looking at the entry for
MAP 10.5.0.115      1858  <- -> my-public-ip   1858  [216.239.63.19
 80]

... it shows it as being an FTP connection:
      proxy ftp/6 use -413 flags 0
                proto 6 flags 0 bytes 0 pkts 0 data YES size 344
        FTP Proxy:
                passok: 1
        Client:
                seq 0 (ack 0) len 0 junk 0 cmds 0
                buf [\000]
        Server:
                seq 9226568 (ack 0) len 0 junk 0 cmds 0
                buf [\000]

Yet, as you can tell, its for port 80 - an HTTP request.

As you can see, my ruleset for ipnat is pretty simple, so I think it might be a bug in ipnat.

Any suggestions would definitely be appreciated - there's definitely been a bit of hair-pulling trying to diag these unusual symptoms!