kern/51224: NPF doesn't like IPs specified like 10.0.1.1/24

[coypu%sdf.org@localhost]

>Number:         51224
>Category:       kern
>Synopsis:       NPF doesn't like IPs specified like 10.0.1.1/24
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Jun 07 20:45:00 +0000 2016
>Originator:     coypu
>Release:        NetBSD-7.99.30
>Organization:
>Environment:
NetBSD net.Home 7.99.30 NetBSD 7.99.30 (GENERIC) #2: Tue Jun  7 04:32:16 IDT 2016  fly%net.Home@localhost:/usr/obj/sys/arch/amd64/compile/GENERIC amd64
>Description:
Following config is broken:

$ext_if = inet4(alc0)
$int_if = inet4(re0)

alg "icmp"

map $ext_if dynamic 10.0.1.0/24 -> $ext_if
map $ext_if dynamic 10.0.1.3 port 80 <- $ext_if port 80
map $ext_if dynamic 10.0.1.3 port 443 <- $ext_if port 443

###  works  ###
# $localnet = { 10.0.1.0/24 }
###  doesn't work  ###
$localnet = { 10.0.1.1/24 }

$services_tcp = { http, https }
$services_udp = { domain, ntp }

group "external" on $ext_if {
        pass stateful out final all

        pass stateful in final family inet4 proto tcp to $ext_if port smtp
        pass stateful in final family inet4 proto tcp to $ext_if port ssh
        pass stateful in final proto tcp to $ext_if port $services_tcp
        pass stateful in final proto udp to $ext_if port $services_udp
}

group "internal" on $int_if {
        block in all
        pass in final from $localnet
        pass out final all
}

group default {
        pass final on lo0 all
        block all
}

>How-To-Repeat:

>Fix:
Apply opposite mask at the right place.