please try npf, if you have a reason not to use npf please document it. it's purely for cultural reasons that the other two still exist in netbsd.
I switched back from npf to ipfilter because npf doesn't properly rewrite ipip (gif, gre):
http://mail-index.netbsd.org/tech-net/2017/06/19/msg006373.html John