diff --git a/tests/sys/netinet/libalias/2_natout.c b/tests/sys/netinet/libalias/2_natout.c
index 5b3e9a906bf5..2b6da8f597ed 100644
--- a/tests/sys/netinet/libalias/2_natout.c
+++ b/tests/sys/netinet/libalias/2_natout.c
@@ -1,414 +1,322 @@
 /*
  * SPDX-License-Identifier: BSD-3-Clause
  *
  * Copyright 2021 Lutz Donnerhacke
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above
  *    copyright notice, this list of conditions and the following
  *    disclaimer in the documentation and/or other materials provided
  *    with the distribution.
  * 3. Neither the name of the copyright holder nor the names of its
  *    contributors may be used to endorse or promote products derived
  *    from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
  * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
  * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
  * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
  * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <atf-c.h>
 #include <alias.h>
 #include <stdio.h>
 #include <stdlib.h>
 
 #include "util.h"
 
-/* common ip ranges */
-static struct in_addr masq = { htonl(0x01020304) };
-static struct in_addr pub  = { htonl(0x0102dead) };
-static struct in_addr prv1 = { htonl(0x0a00dead) };
-static struct in_addr prv2 = { htonl(0xac10dead) };
-static struct in_addr prv3 = { htonl(0xc0a8dead) };
-static struct in_addr cgn  = { htonl(0x6440dead) };
-static struct in_addr ext  = { htonl(0x12345678) };
-
-#define NAT_CHECK(pip, src, msq)	do {	\
-	int res;				\
-	int len = ntohs(pip->ip_len);		\
-	struct in_addr dst = pip->ip_dst;	\
-	pip->ip_src = src;			\
-	res = LibAliasOut(la, pip, len);	\
-	ATF_CHECK_MSG(res == PKT_ALIAS_OK,	\
-	    ">%d< not met PKT_ALIAS_OK", res);	\
-	ATF_CHECK(addr_eq(msq, pip->ip_src));	\
-	ATF_CHECK(addr_eq(dst, pip->ip_dst));	\
-} while(0)
-
-#define NAT_FAIL(pip, src, dst)	do {		\
-	int res;				\
-	int len = ntohs(pip->ip_len);		\
-	pip->ip_src = src;			\
-	pip->ip_dst = dst;			\
-	res = LibAliasOut(la, pip, len);	\
-	ATF_CHECK_MSG(res != PKT_ALIAS_OK),	\
-	    ">%d< not met !PKT_ALIAS_OK", res);	\
-	ATF_CHECK(addr_eq(src, pip->ip_src));	\
-	ATF_CHECK(addr_eq(dst, pip->ip_dst));	\
-} while(0)
-
-#define UNNAT_CHECK(pip, src, dst, rel)	do {	\
-	int res;				\
-	int len = ntohs(pip->ip_len);		\
-	pip->ip_src = src;			\
-	pip->ip_dst = dst;			\
-	res = LibAliasIn(la, pip, len);		\
-	ATF_CHECK_MSG(res == PKT_ALIAS_OK,	\
-	    ">%d< not met PKT_ALIAS_OK", res);	\
-	ATF_CHECK(addr_eq(src, pip->ip_src));	\
-	ATF_CHECK(addr_eq(rel, pip->ip_dst));	\
-} while(0)
-
-#define UNNAT_FAIL(pip, src, dst)	do {	\
-	int res;				\
-	int len = ntohs(pip->ip_len);		\
-	pip->ip_src = src;			\
-	pip->ip_dst = dst;			\
-	res = LibAliasIn(la, pip, len);		\
-	ATF_CHECK_MSG(res != PKT_ALIAS_OK,	\
-	    ">%d< not met !PKT_ALIAS_OK", res);	\
-	ATF_CHECK(addr_eq(src, pip->ip_src));	\
-	ATF_CHECK(addr_eq(dst, pip->ip_dst));	\
-} while(0)
-
 ATF_TC_WITHOUT_HEAD(1_simplemasq);
 ATF_TC_BODY(1_simplemasq, dummy)
 {
 	struct libalias *la = LibAliasInit(NULL);
 	struct ip *pip;
 
 	ATF_REQUIRE(la != NULL);
 	LibAliasSetAddress(la, masq);
 	LibAliasSetMode(la, 0, ~0);
 
-	pip = ip_packet(prv1, ext, 254, 64);
-	NAT_CHECK(pip, prv1, masq);
-	NAT_CHECK(pip, prv2, masq);
-	NAT_CHECK(pip, prv3, masq);
-	NAT_CHECK(pip, cgn,  masq);
-	NAT_CHECK(pip, pub,  masq);
+	pip = ip_packet(254, 64);
+	NAT_CHECK(pip, prv1, ext, masq);
+	NAT_CHECK(pip, prv2, ext, masq);
+	NAT_CHECK(pip, prv3, ext, masq);
+	NAT_CHECK(pip, cgn,  ext, masq);
+	NAT_CHECK(pip, pub,  ext, masq);
 
 	free(pip);
 	LibAliasUninit(la);
 }
 
 ATF_TC_WITHOUT_HEAD(2_unregistered);
 ATF_TC_BODY(2_unregistered, dummy)
 {
 	struct libalias *la = LibAliasInit(NULL);
 	struct ip *pip;
 
 	ATF_REQUIRE(la != NULL);
 	LibAliasSetAddress(la, masq);
 	LibAliasSetMode(la, PKT_ALIAS_UNREGISTERED_ONLY, ~0);
 
-	pip = ip_packet(prv1, ext, 254, 64);
-	NAT_CHECK(pip, prv1, masq);
-	NAT_CHECK(pip, prv2, masq);
-	NAT_CHECK(pip, prv3, masq);
-	NAT_CHECK(pip, cgn,  cgn);
-	NAT_CHECK(pip, pub,  pub);
+	pip = ip_packet(254, 64);
+	NAT_CHECK(pip, prv1, ext, masq);
+	NAT_CHECK(pip, prv2, ext, masq);
+	NAT_CHECK(pip, prv3, ext, masq);
+	NAT_CHECK(pip, cgn,  ext, cgn);
+	NAT_CHECK(pip, pub,  ext, pub);
 
 	/*
 	 * State is only for new connections
 	 * Because they are now active,
 	 * the mode setting should be ignored
 	 */
 	LibAliasSetMode(la, 0, PKT_ALIAS_UNREGISTERED_ONLY);
-	NAT_CHECK(pip, prv1, masq);
-	NAT_CHECK(pip, prv2, masq);
-	NAT_CHECK(pip, prv3, masq);
-	NAT_CHECK(pip, cgn,  cgn);
-	NAT_CHECK(pip, pub,  pub);
+	NAT_CHECK(pip, prv1, ext, masq);
+	NAT_CHECK(pip, prv2, ext, masq);
+	NAT_CHECK(pip, prv3, ext, masq);
+	NAT_CHECK(pip, cgn,  ext, cgn);
+	NAT_CHECK(pip, pub,  ext, pub);
 
 	free(pip);
 	LibAliasUninit(la);
 }
 
 ATF_TC_WITHOUT_HEAD(3_cgn);
 ATF_TC_BODY(3_cgn, dummy)
 {
 	struct libalias *la = LibAliasInit(NULL);
 	struct ip *pip;
 
 	ATF_REQUIRE(la != NULL);
 	LibAliasSetAddress(la, masq);
 	LibAliasSetMode(la, PKT_ALIAS_UNREGISTERED_CGN, ~0);
 
-	pip = ip_packet(prv1, ext, 254, 64);
-	NAT_CHECK(pip, prv1, masq);
-	NAT_CHECK(pip, prv2, masq);
-	NAT_CHECK(pip, prv3, masq);
-	NAT_CHECK(pip, cgn,  masq);
-	NAT_CHECK(pip, pub,  pub);
+	pip = ip_packet(254, 64);
+	NAT_CHECK(pip, prv1, ext, masq);
+	NAT_CHECK(pip, prv2, ext, masq);
+	NAT_CHECK(pip, prv3, ext, masq);
+	NAT_CHECK(pip, cgn,  ext, masq);
+	NAT_CHECK(pip, pub,  ext, pub);
 
 	/*
 	 * State is only for new connections
 	 * Because they are now active,
 	 * the mode setting should be ignored
 	 */
 	LibAliasSetMode(la, 0, PKT_ALIAS_UNREGISTERED_CGN);
-	NAT_CHECK(pip, prv1, masq);
-	NAT_CHECK(pip, prv2, masq);
-	NAT_CHECK(pip, prv3, masq);
-	NAT_CHECK(pip, cgn,  masq);
-	NAT_CHECK(pip, pub,  pub);
+	NAT_CHECK(pip, prv1, ext, masq);
+	NAT_CHECK(pip, prv2, ext, masq);
+	NAT_CHECK(pip, prv3, ext, masq);
+	NAT_CHECK(pip, cgn,  ext, masq);
+	NAT_CHECK(pip, pub,  ext, pub);
 
 	free(pip);
 	LibAliasUninit(la);
 }
 
 ATF_TC_WITHOUT_HEAD(4_udp);
 ATF_TC_BODY(4_udp, dummy)
 {
 	struct libalias *la = LibAliasInit(NULL);
 	struct ip  *po, *pi;
 	struct udphdr *ui, *uo;
 	uint16_t sport = 0x1234;
 	uint16_t dport = 0x5678;
 	uint16_t aport;
 
 	ATF_REQUIRE(la != NULL);
 	LibAliasSetAddress(la, masq);
 	LibAliasSetMode(la, 0, ~0);
 
 	/* Query from prv1 */
-	po = ip_packet(prv1, ext, 0, 64);
-	uo = set_udp(po, sport, dport);
-	NAT_CHECK(po, prv1, masq);
-	ATF_CHECK(uo->uh_dport == htons(dport));
-	ATF_CHECK(addr_eq(po->ip_dst, ext));
+	po = ip_packet(0, 64);
+	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
 	aport = ntohs(uo->uh_sport);
 	/* should use a different external port */
 	ATF_CHECK(aport != sport);
 
 	/* Response */
-	pi = ip_packet(po->ip_dst, po->ip_src, 0, 64);
-	ui = set_udp(pi, ntohs(uo->uh_dport), ntohs(uo->uh_sport));
-	UNNAT_CHECK(pi, ext, masq, prv1);
-	ATF_CHECK(ui->uh_sport == htons(dport));
-	ATF_CHECK(ui->uh_dport == htons(sport));
+	pi = ip_packet(0, 64);
+	UDP_UNNAT_CHECK(pi, ui, ext, dport, masq, aport, prv1, sport);
 
 	/* Query from different source with same ports */
-	uo = set_udp(po, sport, dport);
-	NAT_CHECK(po, prv2, masq);
-	ATF_CHECK(uo->uh_dport == htons(dport));
-	ATF_CHECK(addr_eq(po->ip_dst, ext));
+	UDP_NAT_CHECK(po, uo, prv2, sport, ext, dport, masq);
 	/* should use a different external port */
 	ATF_CHECK(uo->uh_sport != htons(aport));
 
 	/* Response to prv2 */
 	ui->uh_dport = uo->uh_sport;
-	UNNAT_CHECK(pi, ext, masq, prv2);
-	ATF_CHECK(ui->uh_sport == htons(dport));
-	ATF_CHECK(ui->uh_dport == htons(sport));
+	UDP_UNNAT_CHECK(pi, ui, ext, dport, masq, htons(uo->uh_sport), prv2, sport);
 
 	/* Response to prv1 again */
-	ui->uh_dport = htons(aport);
-	UNNAT_CHECK(pi, ext, masq, prv1);
-	ATF_CHECK(ui->uh_sport == htons(dport));
-	ATF_CHECK(ui->uh_dport == htons(sport));
+	UDP_UNNAT_CHECK(pi, ui, ext, dport, masq, aport, prv1, sport);
 
 	free(pi);
 	free(po);
 	LibAliasUninit(la);
 }
 
 ATF_TC_WITHOUT_HEAD(5_sameport);
 ATF_TC_BODY(5_sameport, dummy)
 {
 	struct libalias *la = LibAliasInit(NULL);
 	struct ip  *p;
 	struct udphdr *u;
 	uint16_t sport = 0x1234;
 	uint16_t dport = 0x5678;
 	uint16_t aport;
 
 	ATF_REQUIRE(la != NULL);
 	LibAliasSetAddress(la, masq);
 	LibAliasSetMode(la, PKT_ALIAS_SAME_PORTS, ~0);
 
 	/* Query from prv1 */
-	p = ip_packet(prv1, ext, 0, 64);
-	u = set_udp(p, sport, dport);
-	NAT_CHECK(p, prv1, masq);
-	ATF_CHECK(u->uh_dport == htons(dport));
-	ATF_CHECK(addr_eq(p->ip_dst, ext));
+	p = ip_packet(0, 64);
+	UDP_NAT_CHECK(p, u, prv1, sport, ext, dport, masq);
 	aport = ntohs(u->uh_sport);
 	/* should use the same external port */
 	ATF_CHECK(aport == sport);
 
 	/* Query from different source with same ports */
-	u = set_udp(p, sport, dport);
-	NAT_CHECK(p, prv2, masq);
-	ATF_CHECK(u->uh_dport == htons(dport));
-	ATF_CHECK(addr_eq(p->ip_dst, ext));
+	UDP_NAT_CHECK(p, u, prv2, sport, ext, dport, masq);
 	/* should use a different external port */
 	ATF_CHECK(u->uh_sport != htons(aport));
 
 	free(p);
 	LibAliasUninit(la);
 }
 
 ATF_TC_WITHOUT_HEAD(6_cleartable);
 ATF_TC_BODY(6_cleartable, dummy)
 {
 	struct libalias *la = LibAliasInit(NULL);
 	struct ip  *po, *pi;
 	struct udphdr *ui, *uo;
 	uint16_t sport = 0x1234;
 	uint16_t dport = 0x5678;
 	uint16_t aport;
 
 	ATF_REQUIRE(la != NULL);
 	LibAliasSetAddress(la, masq);
 	LibAliasSetMode(la, PKT_ALIAS_RESET_ON_ADDR_CHANGE, ~0);
 	LibAliasSetMode(la, PKT_ALIAS_SAME_PORTS, PKT_ALIAS_SAME_PORTS);
 	LibAliasSetMode(la, PKT_ALIAS_DENY_INCOMING, PKT_ALIAS_DENY_INCOMING);
 
 	/* Query from prv1 */
-	po = ip_packet(prv1, ext, 0, 64);
-	uo = set_udp(po, sport, dport);
-	NAT_CHECK(po, prv1, masq);
-	ATF_CHECK(uo->uh_dport == htons(dport));
-	ATF_CHECK(addr_eq(po->ip_dst, ext));
+	po = ip_packet(0, 64);
+	UDP_NAT_CHECK(po, uo, prv1, sport, ext, dport, masq);
 	aport = ntohs(uo->uh_sport);
 	/* should use the same external port */
 	ATF_CHECK(aport == sport);
 
 	/* Response */
-	pi = ip_packet(po->ip_dst, po->ip_src, 0, 64);
-	ui = set_udp(pi, ntohs(uo->uh_dport), ntohs(uo->uh_sport));
-	UNNAT_CHECK(pi, ext, masq, prv1);
-	ATF_CHECK(ui->uh_sport == htons(dport));
-	ATF_CHECK(ui->uh_dport == htons(sport));
+	pi = ip_packet(0, 64);
+	UDP_UNNAT_CHECK(po, uo, ext, dport, masq, aport, prv1, sport);
 
 	/* clear table by keeping the address */
 	LibAliasSetAddress(la, ext);
 	LibAliasSetAddress(la, masq);
 
 	/* Response to prv1 again -> DENY_INCOMING */
-	ui->uh_dport = htons(aport);
-	UNNAT_FAIL(pi, ext, masq);
+	UDP_UNNAT_FAIL(pi, ui, ext, dport, masq, aport);
 
 	/* Query from different source with same ports */
-	uo = set_udp(po, sport, dport);
-	NAT_CHECK(po, prv2, masq);
-	ATF_CHECK(uo->uh_dport == htons(dport));
-	ATF_CHECK(addr_eq(po->ip_dst, ext));
+	UDP_NAT_CHECK(po, uo, prv2, sport, ext, dport, masq);
 	/* should use the same external port, because it's free */
 	ATF_CHECK(uo->uh_sport == htons(aport));
 
 	/* Response to prv2 */
-	ui->uh_dport = uo->uh_sport;
-	UNNAT_CHECK(pi, ext, masq, prv2);
-	ATF_CHECK(ui->uh_sport == htons(dport));
-	ATF_CHECK(ui->uh_dport == htons(sport));
+	UDP_UNNAT_CHECK(po, uo, ext, dport, masq, htons(uo->uh_sport), prv2, sport);
 
 	free(pi);
 	free(po);
 	LibAliasUninit(la);
 }
 
 ATF_TC_WITHOUT_HEAD(7_stress);
 ATF_TC_BODY(7_stress, dummy)
 {
 	struct libalias *la = LibAliasInit(NULL);
 	struct ip *p;
 	struct udphdr *u;
 	struct {
 		struct in_addr src, dst;
 		uint16_t sport, dport, aport;
 	} *batch;
 	size_t const batch_size = 1200;
 	size_t const rounds = 25;
 	size_t i, j;
 
 	ATF_REQUIRE(la != NULL);
 	LibAliasSetAddress(la, masq);
 
-	p = ip_packet(prv1, ext, 0, 64);
-	u = set_udp(p, 0, 0);
+	p = ip_packet(0, 64);
 
 	batch = calloc(batch_size, sizeof(*batch));
 	ATF_REQUIRE(batch != NULL);
 	for (j = 0; j < rounds; j++) {
 		for (i = 0; i < batch_size; i++) {
 			struct in_addr s, d;
 			switch (i&3) {
 			case 0: s = prv1; d = ext; break;
 			case 1: s = prv2; d = pub; break;
 			case 2: s = prv3; d = ext; break;
 			case 3: s = cgn;  d = pub; break;
 			}
 			s.s_addr &= htonl(0xffff0000);
 			d.s_addr &= htonl(0xffff0000);
 			batch[i].src.s_addr = s.s_addr | htonl(rand_range(0, 0xffff));
 			batch[i].dst.s_addr = d.s_addr | htonl(rand_range(0, 0xffff));
 			batch[i].sport = rand_range(1000, 60000);
 			batch[i].dport = rand_range(1000, 60000);
 		}
 
 		for (i = 0; i < batch_size; i++) {
-			p->ip_dst = batch[i].dst;
-			u = set_udp(p, batch[i].sport, batch[i].dport);
-			NAT_CHECK(p, batch[i].src, masq);
-			ATF_CHECK(u->uh_dport == htons(batch[i].dport));
-			ATF_CHECK(addr_eq(p->ip_dst, batch[i].dst));
+			UDP_NAT_CHECK(p, u,
+			    batch[i].src, batch[i].sport,
+			    batch[i].dst, batch[i].dport,
+			    masq);
 			batch[i].aport = htons(u->uh_sport);
 		}
 
 		qsort(batch, batch_size, sizeof(*batch), randcmp);
 
 		for (i = 0; i < batch_size; i++) {
-			u = set_udp(p, batch[i].dport, batch[i].aport);
-			UNNAT_CHECK(p, batch[i].dst, masq, batch[i].src);
-			ATF_CHECK(u->uh_dport == htons(batch[i].sport));
-			ATF_CHECK(u->uh_sport == htons(batch[i].dport));
+			UDP_UNNAT_CHECK(p, u,
+			    batch[i].dst,  batch[i].dport,
+			    masq, batch[i].aport,
+			    batch[i].src, batch[i].sport);
 		}
 	}
 
 	free(batch);
 	free(p);
 	LibAliasUninit(la);
 }
 
 ATF_TP_ADD_TCS(natout)
 {
 	/* Use "dd if=/dev/random bs=2 count=1 | od -x" to reproduce */
 	srand(0x0b61);
 
 	ATF_TP_ADD_TC(natout, 1_simplemasq);
 	ATF_TP_ADD_TC(natout, 2_unregistered);
 	ATF_TP_ADD_TC(natout, 3_cgn);
 	ATF_TP_ADD_TC(natout, 4_udp);
 	ATF_TP_ADD_TC(natout, 5_sameport);
 	ATF_TP_ADD_TC(natout, 6_cleartable);
 	ATF_TP_ADD_TC(natout, 7_stress);
 
 	return atf_no_error();
 }
diff --git a/tests/sys/netinet/libalias/3_natin.c b/tests/sys/netinet/libalias/3_natin.c
new file mode 100644
index 000000000000..e8e5257e4baa
--- /dev/null
+++ b/tests/sys/netinet/libalias/3_natin.c
@@ -0,0 +1,381 @@
+/*
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ * Copyright 2021 Lutz Donnerhacke
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above
+ *    copyright notice, this list of conditions and the following
+ *    disclaimer in the documentation and/or other materials provided
+ *    with the distribution.
+ * 3. Neither the name of the copyright holder nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
+ * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+ * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
+ * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+#include <atf-c.h>
+#include <alias.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "util.h"
+
+ATF_TC_WITHOUT_HEAD(1_portforward);
+ATF_TC_BODY(1_portforward, dummy)
+{
+	struct libalias *la = LibAliasInit(NULL);
+	struct alias_link *pf1, *pf2, *pf3, *pf4;
+	struct ip *p;
+	struct udphdr *u;
+
+	ATF_REQUIRE(la != NULL);
+	LibAliasSetAddress(la, masq);
+	LibAliasSetMode(la, PKT_ALIAS_RESET_ON_ADDR_CHANGE, ~0);
+	LibAliasSetMode(la, PKT_ALIAS_DENY_INCOMING, PKT_ALIAS_DENY_INCOMING);
+
+	/*
+	 * Fully specified
+	 */
+	pf1 = LibAliasRedirectPort(la, prv1, ntohs(0x1234), ext, ntohs(0x5678), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf1 != NULL);
+
+	p = ip_packet(0, 64);
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv1, 0x1234);
+	/* try again */
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv1, 0x1234);
+	/* different source */
+	UDP_UNNAT_FAIL(p, u, pub, 0x5678, masq, 0xabcd);
+	UDP_UNNAT_FAIL(p, u, ext, 0xdead, masq, 0xabcd);
+
+	/* clear table by keeping the address */
+	LibAliasSetAddress(la, ext);
+	LibAliasSetAddress(la, masq);
+
+	/* delete and try again */
+	LibAliasRedirectDelete(la, pf1);
+	UDP_UNNAT_FAIL(p, u, ext, 0x5678, masq, 0xabcd);
+
+	/*
+	 * Any external port
+	 */
+	pf2 = LibAliasRedirectPort(la, prv2, ntohs(0x1234), ext, ntohs(0), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf2 != NULL);
+
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv2, 0x1234);
+	/* try again */
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv2, 0x1234);
+	/* different source */
+	UDP_UNNAT_FAIL(p, u, pub, 0x5678, masq, 0xabcd);
+	UDP_UNNAT_CHECK(p, u, ext, 0xdead, masq, 0xabcd, prv2, 0x1234);
+
+	/* clear table by keeping the address */
+	LibAliasSetAddress(la, ext);
+	LibAliasSetAddress(la, masq);
+
+	/* delete and try again */
+	LibAliasRedirectDelete(la, pf2);
+	UDP_UNNAT_FAIL(p, u, ext, 0x5678, masq, 0xabcd);
+
+	/*
+	 * Any external host
+	 */
+	pf3 = LibAliasRedirectPort(la, prv3, ntohs(0x1234), ANY_ADDR, ntohs(0x5678), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf3 != NULL);
+
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv3, 0x1234);
+	/* try again */
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv3, 0x1234);
+	/* different source */
+	UDP_UNNAT_CHECK(p, u, pub, 0x5678, masq, 0xabcd, prv3, 0x1234);
+	UDP_UNNAT_FAIL(p, u, ext, 0xdead, masq, 0xabcd);
+
+	/* clear table by keeping the address */
+	LibAliasSetAddress(la, ext);
+	LibAliasSetAddress(la, masq);
+
+	/* delete and try again */
+	LibAliasRedirectDelete(la, pf2);
+	UDP_UNNAT_FAIL(p, u, ext, 0x5678, masq, 0xabcd);
+
+	/*
+	 * Any external host, any port
+	 */
+	pf4 = LibAliasRedirectPort(la, cgn, ntohs(0x1234), ANY_ADDR, ntohs(0), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf4 != NULL);
+
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, cgn, 0x1234);
+	/* try again */
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, cgn, 0x1234);
+	/* different source */
+	UDP_UNNAT_CHECK(p, u, pub, 0x5678, masq, 0xabcd, cgn, 0x1234);
+	UDP_UNNAT_CHECK(p, u, ext, 0xdead, masq, 0xabcd, cgn, 0x1234);
+
+	/* clear table by keeping the address */
+	LibAliasSetAddress(la, ext);
+	LibAliasSetAddress(la, masq);
+
+	/* delete and try again */
+	LibAliasRedirectDelete(la, pf2);
+	UDP_UNNAT_FAIL(p, u, ext, 0x5678, masq, 0xabcd);
+
+	free(p);
+	LibAliasUninit(la);
+}
+
+ATF_TC_WITHOUT_HEAD(2_portoverlap);
+ATF_TC_BODY(2_portoverlap, dummy)
+{
+	struct libalias *la = LibAliasInit(NULL);
+	struct alias_link *pf1, *pf2, *pf3, *pf4;
+	struct ip *p;
+	struct udphdr *u;
+
+	ATF_REQUIRE(la != NULL);
+	LibAliasSetAddress(la, masq);
+	LibAliasSetMode(la, PKT_ALIAS_RESET_ON_ADDR_CHANGE, ~0);
+	LibAliasSetMode(la, PKT_ALIAS_DENY_INCOMING, PKT_ALIAS_DENY_INCOMING);
+
+	/*
+	 * Fully specified
+	 */
+	pf1 = LibAliasRedirectPort(la, prv2, ntohs(0x1234), ext, ntohs(0x5678), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf1 != NULL);
+
+	p = ip_packet(0, 64);
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv2, 0x1234);
+
+	/* clear table by keeping the address */
+	LibAliasSetAddress(la, ext);
+	LibAliasSetAddress(la, masq);
+
+	/*
+	 * Fully specified (override)
+	 */
+	pf1 = LibAliasRedirectPort(la, prv1, ntohs(0x1234), ext, ntohs(0x5678), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf1 != NULL);
+
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv1, 0x1234);
+
+	/* clear table by keeping the address */
+	LibAliasSetAddress(la, ext);
+	LibAliasSetAddress(la, masq);
+
+	/*
+	 * Any external port
+	 */
+	pf2 = LibAliasRedirectPort(la, prv2, ntohs(0x1234), ext, ntohs(0), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf2 != NULL);
+
+	UDP_UNNAT_CHECK(p, u, ext, 0x5679, masq, 0xabcd, prv2, 0x1234);
+	/* more specific rule wins */
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv1, 0x1234);
+
+	/* clear table by keeping the address */
+	LibAliasSetAddress(la, ext);
+	LibAliasSetAddress(la, masq);
+
+	/*
+	 * Any external host
+	 */
+	pf3 = LibAliasRedirectPort(la, prv3, ntohs(0x1234), ANY_ADDR, ntohs(0x5678), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf3 != NULL);
+
+	UDP_UNNAT_CHECK(p, u, pub, 0x5678, masq, 0xabcd, prv3, 0x1234);
+	/* more specific rule wins */
+	UDP_UNNAT_CHECK(p, u, ext, 0x5679, masq, 0xabcd, prv2, 0x1234);
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv1, 0x1234);
+
+	/* clear table by keeping the address */
+	LibAliasSetAddress(la, ext);
+	LibAliasSetAddress(la, masq);
+
+	/*
+	 * Any external host, any port
+	 */
+	pf4 = LibAliasRedirectPort(la, cgn, ntohs(0x1234), ANY_ADDR, ntohs(0), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf4 != NULL);
+
+	UDP_UNNAT_CHECK(p, u, prv1, 0x5679, masq, 0xabcd, cgn, 0x1234);
+	/* more specific rule wins */
+	UDP_UNNAT_CHECK(p, u, pub, 0x5678, masq, 0xabcd, prv3, 0x1234);
+	UDP_UNNAT_CHECK(p, u, ext, 0x5679, masq, 0xabcd, prv2, 0x1234);
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv1, 0x1234);
+
+	free(p);
+	LibAliasUninit(la);
+}
+
+ATF_TC_WITHOUT_HEAD(3_redirectany);
+ATF_TC_BODY(3_redirectany, dummy)
+{
+	struct libalias *la = LibAliasInit(NULL);
+	struct alias_link *pf;
+	struct ip *p;
+	struct udphdr *u;
+
+	ATF_REQUIRE(la != NULL);
+	LibAliasSetMode(la, PKT_ALIAS_DENY_INCOMING, ~0);
+	p = ip_packet(0, 64);
+
+	pf = LibAliasRedirectPort(la, prv1, ntohs(0x1234), ANY_ADDR, 0, ANY_ADDR, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf != NULL);
+
+	LibAliasSetAddress(la, masq);
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv1, 0x1234);
+	UDP_UNNAT_FAIL(p, u, pub, 0x5678, pub, 0xabcd);
+
+	LibAliasSetAddress(la, pub);
+	UDP_UNNAT_CHECK(p, u, pub, 0x5679, pub, 0xabcd, prv1, 0x1234);
+	UDP_UNNAT_FAIL(p, u, ext, 0x5679, masq, 0xabcd);
+
+	free(p);
+	LibAliasUninit(la);
+}
+
+ATF_TC_WITHOUT_HEAD(4_redirectaddr);
+ATF_TC_BODY(4_redirectaddr, dummy)
+{
+	struct libalias *la = LibAliasInit(NULL);
+	struct alias_link *pf1, *pf2;
+	struct ip *p;
+
+	ATF_REQUIRE(la != NULL);
+	LibAliasSetAddress(la, masq);
+	pf1 = LibAliasRedirectAddr(la, prv1, pub);
+	ATF_REQUIRE(pf1 != NULL);
+
+	p = ip_packet(254, 64);
+	UNNAT_CHECK(p, ext, pub, prv1);
+	UNNAT_CHECK(p, ext, masq, masq);
+
+	pf2 = LibAliasRedirectAddr(la, prv2, pub);
+	ATF_REQUIRE(pf2 != NULL);
+	UNNAT_CHECK(p, ext, pub, prv1);
+	p->ip_p = 253;		       /* new flows */
+	UNNAT_CHECK(p, ext, pub, prv2);
+	UNNAT_CHECK(p, ext, masq, masq);
+
+	p->ip_p = 252;		       /* new flows */
+	NAT_CHECK(p, prv1, ext, pub);
+	NAT_CHECK(p, prv2, ext, pub);
+	NAT_CHECK(p, prv3, ext, masq);
+
+	LibAliasSetMode(la, PKT_ALIAS_DENY_INCOMING, ~0);
+	p->ip_p = 251;		       /* new flows */
+	UNNAT_FAIL(p, ext, pub);
+	UNNAT_FAIL(p, ext, masq);
+
+	/* unhide older version */
+	LibAliasRedirectDelete(la, pf2);
+	LibAliasSetMode(la, 0, ~0);
+	p->ip_p = 250;		       /* new flows */
+	UNNAT_CHECK(p, ext, pub, prv1);
+
+	p->ip_p = 249;		       /* new flows */
+	NAT_CHECK(p, prv1, ext, pub);
+	NAT_CHECK(p, prv2, ext, masq);
+	NAT_CHECK(p, prv3, ext, masq);
+
+	free(p);
+	LibAliasUninit(la);
+}
+
+ATF_TC_WITHOUT_HEAD(5_lsnat);
+ATF_TC_BODY(5_lsnat, dummy)
+{
+	struct libalias *la = LibAliasInit(NULL);
+	struct alias_link *pf;
+	struct ip *p;
+	struct udphdr *u;
+
+	ATF_REQUIRE(la != NULL);
+	LibAliasSetMode(la, 0, ~0);
+	p = ip_packet(0, 64);
+
+	pf = LibAliasRedirectPort(la, cgn, ntohs(0xdead), ANY_ADDR, 0, masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf != NULL);
+
+	ATF_REQUIRE(0 == LibAliasAddServer(la, pf, prv1, ntohs(0x1234)));
+	ATF_REQUIRE(0 == LibAliasAddServer(la, pf, prv2, ntohs(0x2345)));
+	ATF_REQUIRE(0 == LibAliasAddServer(la, pf, prv3, ntohs(0x3456)));
+
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv3, 0x3456);
+	UDP_UNNAT_CHECK(p, u, ext, 0x5679, masq, 0xabcd, prv2, 0x2345);
+	UDP_UNNAT_CHECK(p, u, ext, 0x567a, masq, 0xabcd, prv1, 0x1234);
+	UDP_UNNAT_CHECK(p, u, ext, 0x567b, masq, 0xabcd, prv3, 0x3456);
+	UDP_UNNAT_CHECK(p, u, ext, 0x567c, masq, 0xabcd, prv2, 0x2345);
+	UDP_UNNAT_CHECK(p, u, ext, 0x567d, masq, 0xabcd, prv1, 0x1234);
+
+	free(p);
+	LibAliasUninit(la);
+}
+
+ATF_TC_WITHOUT_HEAD(6_oneshot);
+ATF_TC_BODY(6_oneshot, dummy)
+{
+	struct libalias *la = LibAliasInit(NULL);
+	struct alias_link *pf;
+	struct ip *p;
+	struct udphdr *u;
+
+	ATF_REQUIRE(la != NULL);
+	LibAliasSetMode(la, 0, ~0);
+	LibAliasSetMode(la, PKT_ALIAS_RESET_ON_ADDR_CHANGE, ~0);
+	LibAliasSetMode(la, PKT_ALIAS_DENY_INCOMING, PKT_ALIAS_DENY_INCOMING);
+
+	pf = LibAliasRedirectPort(la, prv1, ntohs(0x1234), ANY_ADDR, 0, masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf != NULL);
+	/* only for fully specified links */
+	ATF_CHECK(-1 == LibAliasRedirectDynamic(la, pf));
+	LibAliasRedirectDelete(la, pf);
+
+	pf = LibAliasRedirectPort(la, prv1, ntohs(0x1234), ext, ntohs(0x5678), masq, ntohs(0xabcd), IPPROTO_UDP);
+	ATF_REQUIRE(pf != NULL);
+	ATF_CHECK(0 == LibAliasRedirectDynamic(la, pf));
+
+	p = ip_packet(0, 64);
+	UDP_UNNAT_CHECK(p, u, ext, 0x5678, masq, 0xabcd, prv1, 0x1234);
+
+	/* clear table by keeping the address */
+	LibAliasSetAddress(la, ext);
+	LibAliasSetAddress(la, masq);
+
+	/* does not work anymore */
+	UDP_UNNAT_FAIL(p, u, ext, 0x5678, masq, 0xabcd);
+
+	free(p);
+	LibAliasUninit(la);
+}
+
+ATF_TP_ADD_TCS(natin)
+{
+	/* Use "dd if=/dev/random bs=2 count=1 | od -x" to reproduce */
+	srand(0xe859);
+
+	ATF_TP_ADD_TC(natin, 1_portforward);
+	ATF_TP_ADD_TC(natin, 2_portoverlap);
+	ATF_TP_ADD_TC(natin, 3_redirectany);
+	ATF_TP_ADD_TC(natin, 4_redirectaddr);
+	ATF_TP_ADD_TC(natin, 5_lsnat);
+	ATF_TP_ADD_TC(natin, 6_oneshot);
+
+	return atf_no_error();
+}
diff --git a/tests/sys/netinet/libalias/Makefile b/tests/sys/netinet/libalias/Makefile
index 6ee2fc0e0e1f..e5ed88f52fcd 100644
--- a/tests/sys/netinet/libalias/Makefile
+++ b/tests/sys/netinet/libalias/Makefile
@@ -1,31 +1,33 @@
 # $FreeBSD$
 
 PACKAGE=	tests
 
 TESTSDIR=	${TESTSBASE}/sys/netinet/libalias
 BINDIR=		${TESTSDIR}
 
 ATF_TESTS_C+=	1_instance	\
 		2_natout	\
+		3_natin		\
 
 PROGS+=		perf
 
 LIBADD+=	alias
 
 SRCS.1_instance=1_instance.c util.c
 SRCS.2_natout=	2_natout.c util.c
+SRCS.3_natin=	3_natin.c util.c
 SRCS.perf=	perf.c util.c
 
 .include <bsd.test.mk>
 
 #
 # Testing during development
 #
 test:	all
 	cd ${.OBJDIR}; kyua test
 
 report:
 	cd ${.OBJDIR}; kyua report
 
 report-v:
 	cd ${.OBJDIR}; kyua report --verbose
diff --git a/tests/sys/netinet/libalias/perf.c b/tests/sys/netinet/libalias/perf.c
index 365b8f2e9fcc..f238846bdb16 100644
--- a/tests/sys/netinet/libalias/perf.c
+++ b/tests/sys/netinet/libalias/perf.c
@@ -1,231 +1,308 @@
 /*
  * SPDX-License-Identifier: BSD-3-Clause
  *
  * Copyright 2021 Lutz Donnerhacke
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above
  *    copyright notice, this list of conditions and the following
  *    disclaimer in the documentation and/or other materials provided
  *    with the distribution.
  * 3. Neither the name of the copyright holder nor the names of its
  *    contributors may be used to endorse or promote products derived
  *    from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
  * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
  * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
  * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
  * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <stdio.h>
 #include <stdlib.h>
 #include <strings.h>
 #include <sys/time.h>
 #include "util.h"
 #include <alias.h>
 
-/* common ip ranges */
-static struct in_addr masq = { htonl(0x01020304) };
-static struct in_addr prv  = { htonl(0x0a000000) };
-static struct in_addr ext  = { htonl(0x12000000) };
+static void usage(void);
 
 #define	timevalcmp(tv, uv, cmp)			\
 	(((tv).tv_sec == (uv).tv_sec)		\
 	 ? ((tv).tv_usec cmp (uv).tv_usec)	\
 	 : ((tv).tv_sec cmp (uv).tv_sec))
 
 #define timevaldiff(n, o) (float)		\
 	(((n).tv_sec - (o).tv_sec)*1000000l +	\
 	 ((n).tv_usec - (o).tv_usec))
 
+#define check_timeout()	do {				\
+	if (check_timeout_cnt++ > 1000) {		\
+		check_timeout_cnt = 0;			\
+		gettimeofday(&now, NULL);		\
+		if (timevalcmp(now, timeout, >=))	\
+		    goto out;				\
+	} } while(0)
+
+static void
+usage(void) {
+	printf("Usage: perf [max_seconds [batch_size [random_size [attack_size [redir_size]]]]]\n");
+	exit(1);
+}
+
 int main(int argc, char ** argv)
 {
 	struct libalias *la;
-	struct timeval timeout;
+	struct timeval timeout, now, start;
 	struct ip *p;
 	struct udphdr *u;
 	struct {
 		struct in_addr src, dst;
 		uint16_t sport, dport, aport;
 	} *batch;
 	struct {
 		unsigned long ok, fail;
-	} nat, unnat, random, attack;
-	int max_seconds, batch_size, random_size, attack_length, round, cnt;
-
-	if(argc != 5 ||
-	   0 >  (max_seconds = atoi(argv[1])) ||
-	   0 >= (batch_size = atoi(argv[2])) ||
-	   0 >= (random_size = atoi(argv[3])) ||
-	   0 >= (attack_length = atoi(argv[4]))) {
-		printf("Usage: %s max_seconds batch_size random_size attack_length\n", argv[0]);
-		return 1;
+	} nat, usenat, unnat, random, attack;
+	int i, round, check_timeout_cnt = 0;
+	int max_seconds = 90, batch_size = 2000,
+	    random_size = 1000, attack_size = 1000,
+	    redir_size = 2000;
+
+	if (argc >= 2) {
+		char * end;
+
+		max_seconds = strtol(argv[1], &end, 10);
+		if (max_seconds < 2 || end[0] != '\0')
+			usage();
 	}
+	if (argc > 2 && (batch_size  = atoi(argv[2])) < 0)	usage();
+	if (argc > 3 && (random_size = atoi(argv[3])) < 0)	usage();
+	if (argc > 4 && (attack_size = atoi(argv[4])) < 0)	usage();
+	if (argc > 5 && (redir_size  = atoi(argv[5])) < 0)	usage();
+
+	printf("Running perfomance test with parameters:\n");
+	printf("  Maximum Runtime (max_seconds) = %d\n", max_seconds);
+	printf("  Amount of valid connections (batch_size) = %d\n", batch_size);
+	printf("  Amount of random, incoming packets (batch_size) = %d\n", random_size);
+	printf("  Repeat count of a random, incoming packet (attack_size) = %d\n", attack_size);
+	printf("  Amount of open port forwardings (redir_size) = %d\n", redir_size);
+	printf("\n");
+
 	if (NULL == (la = LibAliasInit(NULL))) {
 		perror("LibAliasInit");
 		return -1;
 	}
 
 	bzero(&nat, sizeof(nat));
+	bzero(&usenat, sizeof(usenat));
 	bzero(&unnat, sizeof(unnat));
 	bzero(&random, sizeof(random));
 	bzero(&attack, sizeof(attack));
 
 	LibAliasSetAddress(la, masq);
-	LibAliasSetMode(la, PKT_ALIAS_DENY_INCOMING, PKT_ALIAS_DENY_INCOMING);
+	LibAliasSetMode(la, PKT_ALIAS_SAME_PORTS | PKT_ALIAS_DENY_INCOMING, ~0);
 
-	prv.s_addr &= htonl(0xffff0000);
+	prv1.s_addr &= htonl(0xffff0000);
 	ext.s_addr &= htonl(0xffff0000);
 
-	p = ip_packet(prv, ext, 0, 64);
+	for (i = 0; i < redir_size; i++) {
+		int aport = htons(rand_range(1000, 2000));
+		int sport = htons(rand_range(1000, 2000));
+
+		prv2.s_addr &= htonl(0xffff0000);
+		prv2.s_addr |= rand_range(0, 0xffff);
+		LibAliasRedirectPort(la, prv2, sport, ANY_ADDR, 0, masq, aport, IPPROTO_UDP);
+	}
+
+	p = ip_packet(0, 64);
 	u = set_udp(p, 0, 0);
 
 	if (NULL == (batch = calloc(batch_size, sizeof(*batch)))) {
 		perror("calloc(batch)");
 		return -1;
 	}
 
 	gettimeofday(&timeout, NULL);
 	timeout.tv_sec += max_seconds;
 
-	printf("RND SECND NAT RND ATT UNA\n");
+	printf("RND SECOND newNAT RANDOM ATTACK useNAT\n");
 	for (round = 0; ; round++) {
-		int i, res;
-		struct timeval now, start;
+		int res, cnt;
 
 		printf("%3d ", round+1);
 
 		gettimeofday(&start, NULL);
-		printf("%5.1f ", max_seconds - timevaldiff(timeout, start)/1000000.0f);
+		printf("%6.1f ", max_seconds - timevaldiff(timeout, start)/1000000.0f);
 		for (cnt = i = 0; i < batch_size; i++, cnt++) {
-			batch[i].src.s_addr = prv.s_addr | htonl(rand_range(0, 0xffff));
+			batch[i].src.s_addr = prv1.s_addr | htonl(rand_range(0, 0xffff));
 			batch[i].dst.s_addr = ext.s_addr | htonl(rand_range(0, 0xffff));
 			batch[i].sport = rand_range(1000, 60000);
 			batch[i].dport = rand_range(1000, 60000);
 
 			p->ip_src = batch[i].src;
 			p->ip_dst = batch[i].dst;
 			u = set_udp(p, batch[i].sport, batch[i].dport);
 
 			res = LibAliasOut(la, p, 64);
 			batch[i].aport = htons(u->uh_sport);
 
 			if (res == PKT_ALIAS_OK &&
 			    u->uh_dport == htons(batch[i].dport) &&
 			    addr_eq(p->ip_dst, batch[i].dst) &&
 			    addr_eq(p->ip_src, masq))
 				nat.ok++;
 			else
 				nat.fail++;
 
-			gettimeofday(&now, NULL);
-			if(timevalcmp(now, timeout, >=))
-				goto out;
+			check_timeout();
 		}
+		gettimeofday(&now, NULL);
 		if (cnt > 0)
-			printf("%3.0f ", timevaldiff(now, start) / cnt);
+			printf("%6.2f ", timevaldiff(now, start) / cnt);
+		else
+			printf("------ ");
 
 		start = now;
 		for (cnt = i = 0; i < random_size; i++, cnt++) {
 			p->ip_src.s_addr = ext.s_addr & htonl(0xfff00000);
 			p->ip_src.s_addr |= htonl(rand_range(0, 0xffff));
 			p->ip_dst = masq;
 			u = set_udp(p, rand_range(1, 0xffff), rand_range(1, 0xffff));
 
 			res = LibAliasIn(la, p, 64);
 
 			if (res == PKT_ALIAS_OK)
 				random.ok++;
 			else
 				random.fail++;
 
-			gettimeofday(&now, NULL);
-			if(timevalcmp(now, timeout, >=))
-				goto out;
+			check_timeout();
 		}
+		gettimeofday(&now, NULL);
 		if (cnt > 0)
-			printf("%3.0f ", timevaldiff(now, start) / cnt);
+			printf("%6.2f ", timevaldiff(now, start) / cnt);
+		else
+			printf("------ ");
 
 		start = now;
 		p->ip_src.s_addr = ext.s_addr & htonl(0xfff00000);
 		p->ip_src.s_addr |= htonl(rand_range(0, 0xffff));
 		p->ip_dst = masq;
 		u = set_udp(p, rand_range(1, 0xffff), rand_range(1, 0xffff));
-		for (cnt = i = 0; i < attack_length; i++, cnt++) {
+		for (cnt = i = 0; i < attack_size; i++, cnt++) {
 			res = LibAliasIn(la, p, 64);
 
 			if (res == PKT_ALIAS_OK)
 				attack.ok++;
 			else
 				attack.fail++;
 
-			gettimeofday(&now, NULL);
-			if(timevalcmp(now, timeout, >=))
-				goto out;
+			check_timeout();
 		}
+		gettimeofday(&now, NULL);
 		if (cnt > 0)
-			printf("%3.0f ", timevaldiff(now, start) / cnt);
+			printf("%6.2f ", timevaldiff(now, start) / cnt);
+		else
+			printf("------ ");
 
 		qsort(batch, batch_size, sizeof(*batch), randcmp);
 
 		gettimeofday(&start, NULL);
-		for (cnt = i = 0; i < batch_size; i++, cnt++) {
-			p->ip_src = batch[i].dst;
-			p->ip_dst = masq;
-			u = set_udp(p, batch[i].dport, batch[i].aport);
+		for (cnt = i = 0; i < batch_size; i++) {
+			int j;
 
-			res = LibAliasIn(la, p, 64);
-			batch[i].aport = htons(u->uh_sport);
+			/* random communication length */
+			for(j = rand_range(1, 150); j-- > 0; cnt++) {
+				int k;
 
-			if (res == PKT_ALIAS_OK &&
-			    u->uh_sport == htons(batch[i].dport) &&
-			    u->uh_dport == htons(batch[i].sport) &&
-			    addr_eq(p->ip_dst, batch[i].src) &&
-			    addr_eq(p->ip_src, batch[i].dst))
-				unnat.ok++;
-			else
-				unnat.fail++;
+				/* a random flow out of rolling window */
+				k = rand_range(i, i + 25);
+				if (k >= batch_size)
+					k = i;
+
+				/* 10% outgoing, 90% incoming */
+				if (rand_range(0, 100) > 10) {
+					p->ip_src = batch[k].dst;
+					p->ip_dst = masq;
+					u = set_udp(p, batch[k].dport, batch[k].aport);
 
-			gettimeofday(&now, NULL);
-			if(timevalcmp(now, timeout, >=))
-				goto out;
+					res = LibAliasIn(la, p, 64);
+					if (res == PKT_ALIAS_OK &&
+					    u->uh_sport == htons(batch[k].dport) &&
+					    u->uh_dport == htons(batch[k].sport) &&
+					    addr_eq(p->ip_dst, batch[k].src) &&
+					    addr_eq(p->ip_src, batch[k].dst))
+						unnat.ok++;
+					else
+						unnat.fail++;
+				} else {
+					p->ip_src = batch[k].src;
+					p->ip_dst = batch[k].dst;
+					u = set_udp(p, batch[k].sport, batch[k].dport);
+
+					res = LibAliasOut(la, p, 64);
+					if (res == PKT_ALIAS_OK &&
+					    u->uh_sport == htons(batch[k].aport) &&
+					    u->uh_dport == htons(batch[k].dport) &&
+					    addr_eq(p->ip_dst, batch[k].dst) &&
+					    addr_eq(p->ip_src, masq))
+						usenat.ok++;
+					else
+						usenat.fail++;
+				}
+				check_timeout();
+			}
 		}
+		gettimeofday(&now, NULL);
 		if (cnt > 0)
-			printf("%3.0f\n", timevaldiff(now, start) / cnt);
+			printf("%6.2f ", timevaldiff(now, start) / cnt);
+		else
+			printf("------ ");
+
+		printf("\n");
 	}
 out:
 	printf("\n\n");
 	free(batch);
 	free(p);
-	LibAliasUninit(la);
 
 	printf("Results\n");
-	printf("   Rounds  : %7u\n", round);
-	printf("   NAT ok  : %7lu\n", nat.ok);
-	printf("   NAT fail: %7lu\n", nat.fail);
-	printf(" UNNAT ok  : %7lu\n", unnat.ok);
-	printf(" UNNAT fail: %7lu\n", unnat.fail);
-	printf("RANDOM ok  : %7lu\n", random.ok);
-	printf("RANDOM fail: %7lu\n", random.fail);
-	printf("ATTACK ok  : %7lu\n", attack.ok);
-	printf("ATTACK fail: %7lu\n", attack.fail);
-	printf(" -------------------\n");
-	printf("      Total: %7lu\n",
-	       nat.ok + nat.fail + unnat.ok + unnat.fail +
-	       random.ok + random.fail + attack.ok + attack.fail);
+	printf("   Rounds  : %9u\n", round);
+	printf("newNAT ok  : %9lu\n", nat.ok);
+	printf("newNAT fail: %9lu\n", nat.fail);
+	printf("useNAT ok  : %9lu (out)\n", usenat.ok);
+	printf("useNAT fail: %9lu (out)\n", usenat.fail);
+	printf("useNAT ok  : %9lu (in)\n", unnat.ok);
+	printf("useNAT fail: %9lu (in)\n", unnat.fail);
+	printf("RANDOM ok  : %9lu\n", random.ok);
+	printf("RANDOM fail: %9lu\n", random.fail);
+	printf("ATTACK ok  : %9lu\n", attack.ok);
+	printf("ATTACK fail: %9lu\n", attack.fail);
+	printf("             ---------\n");
+	printf("      Total: %9lu\n",
+	       nat.ok + nat.fail +
+	       unnat.ok + unnat.fail +
+	       usenat.ok + usenat.fail +
+	       random.ok + random.fail +
+	       attack.ok + attack.fail);
+
+	gettimeofday(&start, NULL);
+	printf("\n  Cleanup  : ");
+	LibAliasUninit(la);
+	gettimeofday(&now, NULL);
+	printf("%.2fs\n", timevaldiff(now, start)/1000000l);
 	return (0);
 }
diff --git a/tests/sys/netinet/libalias/util.c b/tests/sys/netinet/libalias/util.c
index df2e320a4eba..681c3b20ee41 100644
--- a/tests/sys/netinet/libalias/util.c
+++ b/tests/sys/netinet/libalias/util.c
@@ -1,114 +1,122 @@
 /*
  * SPDX-License-Identifier: BSD-3-Clause
  *
  * Copyright 2021 Lutz Donnerhacke
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above
  *    copyright notice, this list of conditions and the following
  *    disclaimer in the documentation and/or other materials provided
  *    with the distribution.
  * 3. Neither the name of the copyright holder nor the names of its
  *    contributors may be used to endorse or promote products derived
  *    from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
  * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
  * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
  * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
  * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <stdio.h>
 #include <stdlib.h>
 
 #include <netinet/in.h>
 
 #include "util.h"
 
+/* common ip ranges */
+struct in_addr masq = { htonl(0x01020304) };
+struct in_addr pub  = { htonl(0x0102dead) };
+struct in_addr prv1 = { htonl(0x0a00dead) };
+struct in_addr prv2 = { htonl(0xac10dead) };
+struct in_addr prv3 = { htonl(0xc0a8dead) };
+struct in_addr cgn  = { htonl(0x6440dead) };
+struct in_addr ext  = { htonl(0x12345678) };
+struct in_addr ANY_ADDR = { 0 };
+
 #define REQUIRE(x)	do {				\
 	if (!(x)) {					\
 		fprintf(stderr, "Failed in %s %s:%d.\n",\
 		    __FUNCTION__, __FILE__, __LINE__);	\
 		exit(-1);				\
 	}						\
 } while(0)
 
 int
 randcmp(const void *a, const void *b)
 {
 	int res, r = rand();
 
 	(void)a;
 	(void)b;
 	res = (r/4 < RAND_MAX/9) ? 1
 	    : (r/5 < RAND_MAX/9) ? 0
 	    : -1;
 	return (res);
 }
 
 void
 hexdump(void *p, size_t len)
 {
 	size_t i;
 	unsigned char *c = p;
 	
 	for (i = 0; i < len; i++) {
 		printf(" %02x", c[i]);
 		switch (i & 0xf) {
 		case 0xf: printf("\n"); break;
 		case 0x7: printf(" "); break;
 		default:  break;
 		}
 	}
 	if ((i & 0xf) != 0x0)
 		printf("\n");
 }
 
 struct ip *
-ip_packet(struct in_addr src, struct in_addr dst, u_char protocol, size_t len)
+ip_packet(u_char protocol, size_t len)
 {
 	struct ip * p;
 
 	REQUIRE(len >= 64 && len <= IP_MAXPACKET);
 
 	p = calloc(1, len);
 	REQUIRE(p != NULL);
 
 	p->ip_v = IPVERSION;
 	p->ip_hl = sizeof(*p)/4;
 	p->ip_len = htons(len);
 	p->ip_ttl = IPDEFTTL;
-	p->ip_src = src;
-	p->ip_dst = dst;
 	p->ip_p = protocol;
 	REQUIRE(p->ip_hl == 5);
 
 	return (p);
 }
 
 struct udphdr *
 set_udp(struct ip *p, u_short sport, u_short dport) {
 	uint32_t *up = (void *)p;
 	struct udphdr *u = (void *)&(up[p->ip_hl]);
 	int payload = ntohs(p->ip_len) - 4*p->ip_hl;
 
 	REQUIRE(payload >= (int)sizeof(*u));
 	p->ip_p = IPPROTO_UDP;
 	u->uh_sport = htons(sport);
 	u->uh_dport = htons(dport);
 	u->uh_ulen = htons(payload);
 	return (u);
 }
diff --git a/tests/sys/netinet/libalias/util.h b/tests/sys/netinet/libalias/util.h
index f441aea49cfb..81d71049b57f 100644
--- a/tests/sys/netinet/libalias/util.h
+++ b/tests/sys/netinet/libalias/util.h
@@ -1,62 +1,137 @@
 /*
  * SPDX-License-Identifier: BSD-3-Clause
  *
  * Copyright 2021 Lutz Donnerhacke
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  *
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above
  *    copyright notice, this list of conditions and the following
  *    disclaimer in the documentation and/or other materials provided
  *    with the distribution.
  * 3. Neither the name of the copyright holder nor the names of its
  *    contributors may be used to endorse or promote products derived
  *    from this software without specific prior written permission.
  *
  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND
  * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES,
  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
  * DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS
  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
  * ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
  * TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF
  * THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  */
 #include <sys/types.h>
 
 #include <arpa/inet.h>
 #include <netinet/ip.h>
 #include <netinet/udp.h>
 
 #ifndef _UTIL_H
 #define _UTIL_H
 
+/* common ip ranges */
+extern struct in_addr masq, pub, prv1, prv2, prv3, cgn, ext, ANY_ADDR;
+
 int		randcmp(const void *a, const void *b);
 void		hexdump(void *p, size_t len);
-struct ip *	ip_packet(struct in_addr src, struct in_addr dst, u_char protocol, size_t len);
+struct ip *	ip_packet(u_char protocol, size_t len);
 struct udphdr * set_udp(struct ip *p, u_short sport, u_short dport);
 
 inline int
 addr_eq(struct in_addr a, struct in_addr b)
 {
 	return a.s_addr == b.s_addr;
 }
 
 #define a2h(a)	ntohl(a.s_addr)
 
 inline int
 rand_range(int min, int max)
 {
 	return min + rand()%(max - min);
 }
 
+#define NAT_CHECK(pip, src, dst, msq)	do {	\
+	int res;				\
+	int len = ntohs(pip->ip_len);		\
+	pip->ip_src = src;			\
+	pip->ip_dst = dst;			\
+	res = LibAliasOut(la, pip, len);	\
+	ATF_CHECK_MSG(res == PKT_ALIAS_OK,	\
+	    ">%d< not met PKT_ALIAS_OK", res);	\
+	ATF_CHECK(addr_eq(msq, pip->ip_src));	\
+	ATF_CHECK(addr_eq(dst, pip->ip_dst));	\
+} while(0)
+
+#define NAT_FAIL(pip, src, dst)	do {		\
+	int res;				\
+	int len = ntohs(pip->ip_len);		\
+	pip->ip_src = src;			\
+	pip->ip_dst = dst;			\
+	res = LibAliasOut(la, pip, len);	\
+	ATF_CHECK_MSG(res != PKT_ALIAS_OK),	\
+	    ">%d< not met !PKT_ALIAS_OK", res);	\
+	ATF_CHECK(addr_eq(src, pip->ip_src));	\
+	ATF_CHECK(addr_eq(dst, pip->ip_dst));	\
+} while(0)
+
+#define UNNAT_CHECK(pip, src, dst, rel)	do {	\
+	int res;				\
+	int len = ntohs(pip->ip_len);		\
+	pip->ip_src = src;			\
+	pip->ip_dst = dst;			\
+	res = LibAliasIn(la, pip, len);		\
+	ATF_CHECK_MSG(res == PKT_ALIAS_OK,	\
+	    ">%d< not met PKT_ALIAS_OK", res);	\
+	ATF_CHECK(addr_eq(src, pip->ip_src));	\
+	ATF_CHECK(addr_eq(rel, pip->ip_dst));	\
+} while(0)
+
+#define UNNAT_FAIL(pip, src, dst)	do {	\
+	int res;				\
+	int len = ntohs(pip->ip_len);		\
+	pip->ip_src = src;			\
+	pip->ip_dst = dst;			\
+	res = LibAliasIn(la, pip, len);		\
+	ATF_CHECK_MSG(res != PKT_ALIAS_OK,	\
+	    ">%d< not met !PKT_ALIAS_OK", res);	\
+	ATF_CHECK(addr_eq(src, pip->ip_src));	\
+	ATF_CHECK(addr_eq(dst, pip->ip_dst));	\
+} while(0)
+
+#define UDP_NAT_CHECK(p, u, si, sp, di, dp, mi)	do {	\
+	u = set_udp(p, (sp), (dp));			\
+	NAT_CHECK(p, (si), (di), (mi));			\
+	ATF_CHECK(u->uh_dport == htons(dp));		\
+} while(0)
+
+#define UDP_NAT_FAIL(p, u, si, sp, di, dp)	do {	\
+	u = set_udp(p, (sp), (dp));			\
+	NAT_FAIL(p, (si), (mi));			\
+} while(0)
+
+#define UDP_UNNAT_CHECK(p, u, si, sp, mi, mp, di, dp)	\
+do {							\
+	u = set_udp(p, (sp), (mp));			\
+	UNNAT_CHECK(p, (si), (mi), (di));		\
+	ATF_CHECK(u->uh_sport == htons(sp));		\
+	ATF_CHECK(u->uh_dport == htons(dp));		\
+} while(0)
+
+#define UDP_UNNAT_FAIL(p, u, si, sp, mi, mp)	do {	\
+	u = set_udp(p, (sp), (mp));			\
+	UNNAT_FAIL(p, (si), (mi));			\
+} while(0)
+
 #endif /* _UTIL_H */