tun(4) in npf.conf

[Dima Veselov <kab00m%lich.phys.spbu.ru@localhost>]

Greetings!

I was using ipfilter on NetBSD-7 and it had overflow
problems, so I have changed it to npf. Npf works like
a charm, but one thing does not work as intended.

Box have internal (vlan27), external (vlan1122), several
gif(4) and one openvpn's tun0 interface 
(192.168.28.70 -> 192.168.28.1).

npf.conf part:
map tun0 dynamic $acl_local -> inet4(tun0)

group "internal" on $int_if {
    pass stateful out final all
    pass stateful in final from $acl_local
    block return in final all apply "log"
}

group "vpn" on tun0 {
    pass stateful out final all
    block in final all apply "log"
}

For example it can reach 192.168.28.1 by itself
[root@almaz acme]$ telnet 192.168.28.1 22
..
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

But those people from $acl_local does not, always getting
"host unreachable"
[kab00m@typer ~]$ telnet 192.168.28.1 22
telnet: connect to address 192.168.28.1: No route to host

All packets are returned with ICMP unreachable.

Several notices:
1. gif(4) interfaces works good (without NAT).
2. No routed packet appear on tun0 interface.
3. No routed packet appear on tun0 interface with NAT 
disabled either.
4. Routed packet appear on tun0 interface with NPF 
disabled, so this is definitely npf-related.
5. No packet appear on npflog0 interface at all.
6. Removing "return" from block does not change anything
and ICMP continue returning every time.

Each time i try telnet through this router to tun0 
NPF statistics increased at this parameters:
+1 to Network buffers: non-contiguous cases
+1 to Network buffers: contig alloc failures
+2 to duplicate state race

Yesterday this setup was working on ipfilter (don't
take it as an attempt to prove IPF is better :)

-- 
Sincerely yours,
Dima Veselov
Physics R&D Establishment of Saint-Petersburg University