My first mail on this topic was 26 Oct 2012 on tech-net@
I then did send a more complete example 21 Aug 2018, as a followup to a
mail from you on developers@ (you were in Cc).
I dind't get any follow up.

Here is what was in my 2018 mail (note that my example from 2012 was a
multihomed host, not a Xen dom0, but both use ruleset groups to
filter first on source, then on destination).
One thing I didn't mention in my previous emails is that, for the Xen
example, npf should accept to load rules with nonexistent interfaces
(the interfaces are created later).
Another thing not mentionned here is that in some corner cases I had
to use nested groups

Basically my ipf.conf looks like below. The kernel is configured with
BRIDGE_IPF on Xen dom0. This is a simple example. On real-life hosts
I have 51 vlans and more than 10 guests.
Note that I use interface names that are not present (or not always present)
in the system when the ipf.conf is first read. The Xen scripts patches it,
and do a /etc/rc.d/ipfilter reload

#the name below is patched with xvifXiY by Xen scripts
guest1i0=none1i0
guest1i1=none1i1

# block everything by default
block in log all

# 127.0.0.0/8 only on lo0
block in log level err quick from 127.0.0.0/8 to any head 10
pass in on lo0 from any to any group 10

block in log quick from any to 127.0.0.0/8 head 20
pass in quick on lo0 from any to any group 20

# check that a source IP comes in on the right interface
block in log quick from 10.0.0.0/24 to any head 100
pass in on vlan0 from any to any group 100
pass in on $guest1i0 from 10.0.0.10 to any group 100

block in log quick from 10.0.1.0/24 to any head 101
pass in on vlan1 from any to any group 101
pass in on $guest1i1 from 10.0.1.10 to any group 101

# there may be more checks on source, like public IP coming in only on
# the public interface

# now we're sure the source is on the correct interface. Check destination
# I have a single group below, but on real use cases, there will be one by
# host class/role
block in log quick from 10.0.0.1 to any head 1000
block in log quick from 10.0.1.1 to any head 1000
block in log quick from 10.0.0.10 to any head 1000
block in log quick from 10.0.1.10 to any head 1000
pass in log quick proto tcp from myworkstartion to any port = 22 flags S/SA group 1000
pass in log quick proto tcp from myworkstartion to any port = 443 flags S/SA group 1000
pass in log quick proto tcp from 10.0.0.0/16 to any port = 25 flags S/SA group 1000
block return-rst in log quick proto tcp from any to any group 1000
pass in quick proto icmp from any to any group 1000

I have this same problem with npf and tun interfaces.

My tun interfaces are generally not created until a particular process
starts and creates them with an open() call on /dev/tunN.

npf was not happy with the non-existent interfaces being referenced
in the ruleset.

I was able to work around the problem by creating a 'ifconfig.tun0', etc,
in rc.conf, with only an 'up' action in it, which causes the interface
to be created (by /etc/rc.d/network).


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

With Xen dom0 there's no way to work around this. The interfaces are numbered
by domain id, and this can becore arbitrary high: if you destroy/create a vm
(just rebooting the vm is enough) you get a new domain id each time.
You don't know how high it will get after months of uptime.
On one system of mine, the domain id is at 270 ...