route-to and reply-to equivalents in npf?

[Brian Buhrow <buhrow%nfbcal.org@localhost>]

	Hello.  I'm working on transitioning services at our shop from
NetBSD-5 to NetBSD-8.  As part of that effort, I'm working on figuring out
how to write configurations for npf(7) which are direct replacements for
our pf(4) configurations.  The process looks pretty straightforward, except
for one case which we use quite extensively.  In pf(4), one can use the
route-to and reply-to rules to explicitly route packets sourced from
certain interfaces to other interfaces.  We use this to allow us to use
public IP addresses from one ISP through a series of VPN'S, allowing us to
provide service through non-local networks.
As an example, here is a snippet from one of our working systems. (IP
addresses changed to protect the innocent)

In the below example, $dmz_if is one interface of this machine that routes
to a local subnet.  $vpn_if is the interface that runs through an IP
tunnel.  Any traffic from the $dmz_if should be routed through the $vpn_if
instead of using the standard routing table.  Any traffic originating from
the $vpn_if destined for the $dmz_if should be return-routed to the
$vpn_if.
	This works beautifully under pf(4) under NetbSD-4 and NetBSD-5.  How
can I replicate this behavior under NetBSD-8 with npf?
-thanks
-Brian



# Allow the back office to keep using foreign addresses (06/26/2017)
pass in quick on $dmz_if from $dmz_if:network to $dmz_if:network no state
#Pass internal network traffic through the VPN to expose it to the Internet
pass in quick on $dmz_if route-to { ($vpn_if 10.0.94.105) }  from $dmz_if:network to any keep state
pass out quick on $dmz_if from $dmz_if:network to $dmz_if:network no state
pass out quick on $dmz_if reply-to { ($vpn_if 10.0.94.105) } from any to $dmz_if:network keep state
block out quick on $dmz_if from any to any no state