Is this a bug, or is it working as designed? For some reason, I assumed there to be per-interface state tables and hence consideration of the vr0 rules (i.e. I assumed a 'keep state' on a vr1 rule would only> skip looking at the vr1 rules for future matching packets)It's by design. There's only one state table.
FYI: from NetBSD's NPF `man 5 npf.conf' | Stateful packet inspection is enabled using `stateful' or | `stateful-ends' keywords. The former creates a state which is | uniquely identified by a 5-tuple (source and destination IP | addresses, port numbers and an interface identifier). The latter | excludes the interface identifier and must be used with precaution. -- Gergely EGERVARY