I upgraded a system from 1.6 to 1.6.1RC2/i386 and ipf and ipnat
both broke.

I reduced the rules to the list below.  Here is a an example of
DNS with the responses are blocked when running 1.6.1rc2.  When I
move the kernel back to 1.6 with 1.6.1rc2 userland, the dns query
works.

ipnat rdr also stopped redirecting.

The only odd thing that I am doing is having a 8 vlan interfaces
on the one ethernet card in the system.

@1 block out log from any to any
@2 pass out log first quick on lo0 from any to any keep state
@3 pass out log first quick on ex0 from any to any keep state
@4 pass out log first quick on vlan1 proto udp from any to any keep state
@5 pass out log first quick on vlan1 from any to any
@6 pass out log first quick on vlan21 from any to any

@1 block in log from any to any
@2 pass in log first quick on lo0 from any to any keep state
@3 pass in log first quick on ex0 from any to any keep state
@5 pass in log first quick on vlan21 from any to any

$dig @155.53.1.253 netbsd.org ns

ipmon[144]: vlan1 @0:4 p 10.0.0.1,65285 -> 155.53.1.253,53 PR udp len 20 56 K-S OUT
ipmon[144]: vlan1 @0:1 b 155.53.1.253,53 -> 10.0.0.1,65285 PR udp len 20 291 IN
ipmon[144]: vlan1 @0:4 p 10.0.0.1,65285 -> 155.53.1.253,53 PR udp len 20 56 K-S OUT
ipmon[144]: vlan1 @0:1 b 155.53.1.253,53 -> 10.0.0.1,65285 PR udp len 20 291 IN


-- 
John D. Smerdon                      jds at smerdon.livonia.mi.us
Livonia, Michigan, US