Trying to understand stateful npf

[Stephen Borrill <netbsd%precedence.co.uk@localhost>]

I'm trying to configure a ruleset to filter traffic bound for the outside 
world and also allow an incoming port map. The ruleset can be seen below. 
I would expect that the "pass stateful out" on the internal interface 
would have allowed the packets back in past the "block in all" from 
10.10.0.2 when replying. However, it does not. Perhaps it is because the 
state is calculated prior to the inbound translation (of course, as npf is 
missing basic tools along the lines of ipfstat to look at state it is 
difficult to analyse).

The only way to get it to work is to explicitly allow in the return 
traffic:

-       pass stateful out final all
+       pass out final all
        pass in final from $trusted_xennet0 to $internalips
+       pass in final proto tcp from 10.10.0.2 port 3389 to any

Original ruleset:

$ext_if = "xennet1"
$ext_addrs = { inet4(xennet1) }
$trusted = 10.10.0.0/16
$internalips = 10.10.0.1

alg "icmp"

map xennet1 dynamic 10.10.0.0/16 -> $ext_addrs
map xennet1 dynamic 10.10.0.2 port 3389 <- $ext_addrs port 3389

group "external" on $ext_if {
        pass out final proto icmp all
        pass in final proto icmp all
        # paranoid mode out to outside
        pass stateful out final all

        # Passive FTP
        pass stateful in final proto tcp to $ext_addrs port 49151-65535
        # Traceroute
        pass stateful in final proto udp to $ext_addrs port 33434-33600
        pass in final proto tcp from any to $ext_addrs port 3389
}

$int_xennet0_addrs = { inet4(xennet0) }
$trusted_xennet0 = 10.10.0.0/16
group "internal xennet0" on "xennet0" {
        block in all
        pass out final proto icmp all
        pass in final proto icmp all
        pass stateful out final all
        pass in final from $trusted_xennet0 to $internalips
}

group default {
        pass final on lo0 all
        block all
}

--
Stephen