NPF question

[Andy Ruhl <acruhl%gmail.com@localhost>]

I've been using pf for a long time, and I'm trying to convert to npf.

During testing (netbsd-7 from nyftp this month, vm on VMWare Fusion), I found something that looks like a problem but I'm not sure. I'm using a very stripped down version of the soho example config file in /usr/share/examples/npf:

# $NetBSD: soho_gw-npf.conf,v 1.6 2014/02/08 01:32:19 rmind Exp $
#
# SOHO border
#
# This is a natting border gateway/webserver/mailserver/nameserver
# IPv4 only
#

$ext_if = "wm0"
$ext_v4 = inet4(wm0)
$ext_addrs = { inet4(wm0), inet6(wm0) }

$services_tcp = { http, https, smtp, domain, 6000, 9022 }
$services_udp = { domain, ntp, 6000 }
$localnet = { 192.168.224.0/24 }

procedure "log" {
    log: npflog0
}

group "external" on $ext_if {
    pass stateful out final all
    block in final from 0.0.0.0/0

    pass stateful in from any

}

group default {
    pass final on lo0 all
    block all
}

It's the line "block in final from 0.0.0.0/0" that seems to be the problem. I get this:

virtualnetbsd# /etc/rc.d/npf restart
Disabling NPF.
Enabling NPF.
npfctl: npfctl_config_send: Input/output error

If I change 0.0.0.0/0 to 192.168.224.0/24 or $localnet or some ip or network and restart npf it works as expected (it blocks me from trying to ssh in from the host if the rule matches, or not if the rule doesn't match).

Why is 0.0.0.0/0 invalid?

Andy