NAT problems with ipftest

ipftest looks like a very useful piece of code but I've run into a couple
of problems:
1) The man page bears little resemblance to reality.
I've attached an updated page which better matches IPFilter 4.1.[23]
2) It won't work with the interface names I'm using.

To expand on the second point: I am building a system that will manage
access between a number of different IP subnets which are presented as
different VLANs on a single interface. For Solaris, this means that I
have interface names like 'ce91000' and 'ce162000'.

My problem is that ipftest is using the get_rule() code in ip_fil.c
which treats "ce91000" and type="ce", number=91000. This would be OK
except that the number is stored in a [unsigned?] short and the
matching code converts the (type,number) pair back to a string for
comparison with the interface name. The result is that "ce25464" is
not the same as "ce91000".

Note that this problem exists with ipftest on both Solaris and FreeBSD
(the two OSs I've tried). That actual ipnat code on Solaris uses a
different get_rule() implementation but as far as I can tell, it
suffers from the same problem (at least NAT doesn't work).

The only references to problems with VLANs I can find on the mailing
list are more than two years old, refer to IPFilter 3.4 and are
supposedly fixed. Is this a regression in 4.x? Has anyone else
bumped into this?

I have used IPFilter on FreeBSD quite successfully and expected that it
would "just work" on Solaris as well.
--
Peter Jeremy