On how to make NAT work, what I did in PF was this:
(a) When the port is not locked to a particular number, I simply iterate
ports until the toepliz hash for the translated address/port pair
winds up on the same cpu as the toeplez hash of the original.
This way both sides of the NAT conversation wind up on the same cpu
and no locking is required.
(b) If the translated port is locked (which is a feature that PF has,
for example), it may not be possible to match up the toeplez hash.
In this situation the state goes into a global table with a global
lock, and the state is individually locked by the filter.
