bin/59581: npfctl fails to list empty rule

[martin%NetBSD.org@localhost]

>Number:         59581
>Category:       bin
>Synopsis:       npfctl fails to list rules
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 09 09:30:01 +0000 2025
>Originator:     Martin Husemann
>Release:        NetBSD 11.0_BETA
>Organization:
The NetBSD Foundation, Inc.
>Environment:
System: NetBSD 11.0_BETA (GENERIC64) #0: Fri Aug  1 17:05:55 UTC 2025  mkrepro%mkrepro.NetBSD.org@localhost:/usr/src/sys/arch/evbarm/compile/GENERIC64 evbarm
Architecture: evbarm
Machine: aarch64
>Description:

I have a machine with /etc/npf identical (modulo the interface name)
to /usr/share/examples/blocklist/npf.conf and a /etc/blocklistd.conf
that is a shortened version of /usr/share/examples/blocklist/blocklistd.conf.
I guess no script kiddies yet have tried to hack this system (and I just rebooted
it anyway). /etc/rc.conf has npf=YES and blocklistd=YES.

Now I can look at npf state:

# npfctl list
# src-addr:port       dst-addr:port         interface  nat-addr:port
#

and would try to get a list of the bad guys from the blocklistd rule:

# npfctl rule "blocklistd" list
(null):1:0: npfctl_print_filter: layer not supported near ''
#

I thought this might be due to noone blocked yet, but it isn't. I tried
bogus ssh logins from another machine and the 3rd try was properly blocked.

So blocklistd and npf are working as expected, but npfctl fails to
list the rule.

When I do: npfctl rule blocklistd flush

the issue goes away:

# npfctl rule "blocklistd" list
#

but now blocklistd is not working any more, I can't get the same address blocked
again (maybe because the 6h timeout has not expired and this is a different
bug - or even to be expected)

>How-To-Repeat:
s/a

>Fix:
n/a