pf: Avoid logging state creation failures unless requested

pd.act.log is applied unconditionally, but the intent in commit
886396f1b1a7 was to log only if the rule specifically requested it.
Thus, check the rule and associated NAT rule before setting
PF_LOG_FORCE.

For consistency with other handling of memory allocation failures, we
also want to log if state creation failed for that reason. Thus, modify
pf_create_state() to return the drop reason.

Extend the regression test added in commit 886396f1b1a7 to check that we
don't log anything if a state creation failure occurs for a rule without
logging configured.

Fixes: 886396f1b1a7 ("pf: Force logging if pf_create_state() fails")
Reviewed by: kp
MFC after: 2 weeks
Sponsored by: Klara, Inc.
Sponsored by: OPNsense
Differential Revision: https://reviews.freebsd.org/D49352