> The key advantage of pf over iptables for this kind of use case is that rule evaluation is deterministic and the syntax stays readable enough to audit six months later without documentation archaeology.

Is iptables not deterministic? Don't the packets look at each rule in numerical order until something matches? If you have two rules with the same number, shame on you.

Re archaeology, OpenBSD changed the rules syntax for some reason and the other platforms with pf kept the existing syntax, so that's always a fun game to play.