Pretty sure pf applies translations immediately only if the rule is a match rule. Diff makes this clear in the man page.
diff --git share/man/man5/pf.conf.5 share/man/man5/pf.conf.5 index d76129deb47..7fa4bde1495 100644 --- share/man/man5/pf.conf.5 +++ share/man/man5/pf.conf.5 @@ -808,7 +808,9 @@ port of the packets associated with a stateful connection. modifies the specified address and/or port in the packet and recalculates IP, TCP, and UDP checksums as necessary. .Pp -Subsequent rules will see packets as they look +If specified on a +.Ic match +rule, subsequent rules will see packets as they look after any addresses and ports have been translated. These rules will therefore have to filter based on the translated address and port number.
