thanks.

Right now I use ipf on a router, with groups made like that:
A set of groups for each vlan, which just checks that source IP comes
from the expected interface (anti-spoofing rules):

block in log level err quick from network_of_vlan_xxx/24 to any head 1xxx
pass in on vlanxxx from any to any group 1xxx
(repeat for each vlan)

Then rules are grouped by destination IP (a group can cover more
than one vlan). This is where the real filtering occurs, i.e. where
we allow/deny access to a specific port on a group of hosts (eventually based
on source address, e.g. for internal-only services):
block return-icmp in log quick from any to (list of IPs or networks/netmasks) head 2yyy
(and some 'pass in quick ... group 2yyy wich allows some packets to
get in).

Finally, if a packet is not for one of our internal IPs, some filtering
is applied to prevent some type of pakets from leaving our network.
Eventually we use groups in groups. We only use 'in' rules, the only 'out'
rule is pass ou all (in other words, filtering is applied when a packet
enters the router, not when it leaves the router).

If I understood it properly, in npf a group can only be defined based on
incoming interface, do you plan to expand this by match of arbitrary rules ?

Is there a way to explicitely allow, in a group, to leave this group a
process the remaning groups ?