I'm not familiar with the pf "tag", and I gtg so I don't have time to read more, but it seems very similar to "mark"[1].
It essentially lets you mark a packet with a tag (if memory serves it's a 32 bitmap you can do whatever bitwise/assignment operations to). I used it in the beginning, but then I managed to find cleaner ways to do what I was doing.
For me nftables changed the game for linux firewalls. From the almost incomprehensible mess that was iptables we now have a clean language that lets me be quite DRY, and is easy to work with.
nftables "mark" would behave like pf "tag" if you can filter a packet further downstream based on the value of the mark. (It looks like the mark functionality is also present in iptables.)
If people are using marks for policy-based firewalls a la tag in pf, it doesn't look like a particularly common practice, based on a quick Google search. Anyway, it's a start. Thanks for the pointer.
There's a page somewhere on the nftables wiki that shows all the operations you can do, but you essentially can bitmask and compare, or just compare and do something based on the result of that conditional, so I guess exactly what you want.
For me nftables changed the game for linux firewalls. From the almost incomprehensible mess that was iptables we now have a clean language that lets me be quite DRY, and is easy to work with.
1: https://wiki.nftables.org/wiki-nftables/index.php/Setting_pa...