If an rdr (or nat) rule specifies 'pass' we don't run the filter rules, we just
pass the traffic. Or at least, we did until that got unintentionally broken.
Restore that behaviour and add a test case.
While here also fix nat:dummynet_mask, which relied on the broken behaviour.
MFC after: 3 days
Sponsored by: Rubicon Communications, LLC ("Netgate")