For the first time I tried accessing the coda file system over a Linux
  IP masqueraded link and found that only files below some size (not
  exactly known, something more than 2000 bytes, I think) would be

I'm surprised it worked that well.  I suspect that the basic rpc2 is
working through masquerading, and that the side effects are not.  I'd
suggest hacking the masquerading to make it also masq the -se ports
merely from having seen the forward traffic on the regular rpc2 ports.
(Run tcpdump on a venus with a real address to figure things out.)

I've had the same problem using a firewall (but with real addresses on
the inside).  Since I didn't control the firewall, I haven't been able
to work around it, but the above is what I'd do - add a slightly
bigger stateful reverse entry matching the 'outgoing' traffic.  Coda
has a more complicated definition of session than most protocols.

I suspect that the limit is that if the reply (rpc2 ack from read,
plus data) fits in 2900 bytes, it works - that's the size the rpc2 lib
uses by default for a single IP packet, which then gets fragged.

I don't know if the server sends side-effects to an offset from where
the client came from, or to the fixed value.  If the latter,
masquerading multiple clients behind a single NAT box might work.

        Greg Troxel <gdt_at_ir.bbn.com>