More tweaks to try to catchup to recent pf changes.

pfopt5 part from sthen@

ok henning@ sthen@

31 files changed, 234 insertions, 234 deletions

diff --git a/regress/sbin/pfctl/pf13.in b/regress/sbin/pfctl/pf13.in
index 4b7fd5c6bdd..bfed24e11bb 100644
--- a/regress/sbin/pfctl/pf13.in
+++ b/regress/sbin/pfctl/pf13.in
@@ -1,22 +1,22 @@
-pass in quick on enc0 fastroute all
-pass in quick on enc0 fastroute inet all
-pass in quick on enc0 fastroute inet6 all
+pass in quick on enc0 from any to any fastroute
+pass in quick on enc0 inet from any to any fastroute
+pass in quick on enc0 inet6 from any to any fastroute
 
-pass out quick on tun1000000 route-to tun1000001 inet all
-pass out quick on tun1000000 route-to tun1000001 from any to 192.168.1.1
-pass out quick on tun1000000 route-to tun1000001 from any to fec0::1
+pass out quick on tun1000000 inet from any to any route-to tun1000001
+pass out quick on tun1000000 from any to 192.168.1.1 route-to tun1000001
+pass out quick on tun1000000 from any to fec0::1 route-to tun1000001
 
-block in on tun1000000 dup-to (tun1000001 192.168.1.1) proto tcp from any to any port = 21
-block in on tun1000000 dup-to (tun1000001 fec0::1) proto tcp from any to any port = 21
+block in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 192.168.1.1)
+block in on tun1000000 proto tcp from any to any port = 21 dup-to (tun1000001 fec0::1)
 
-pass in quick on tun1000000 route-to tun1000001 from 192.168.1.1/32 to 10.1.1.1/32
-pass in quick on tun1000000 route-to tun1000001 from fec0::1/64 to fec1::2/128
+pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 route-to tun1000001
+pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 route-to tun1000001
 
-block in on tun1000000 reply-to (tun1000001 192.168.1.1) proto tcp from any to any port = 21
-block in on tun1000000 reply-to (tun1000001 fec0::1) proto tcp from any to any port = 21
+block in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 192.168.1.1)
+block in on tun1000000 proto tcp from any to any port = 21 reply-to (tun1000001 fec0::1)
 
-pass in quick on tun1000000 reply-to tun1000001 from 192.168.1.1/32 to 10.1.1.1/32
-pass in quick on tun1000000 reply-to tun1000001 from fec0::1/64 to fec1::2/128
+pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 reply-to tun1000001
+pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 reply-to tun1000001
 
-pass in quick on tun1000000 dup-to (tun1000001 192.168.1.100) from 192.168.1.1/32 to 10.1.1.1/32
-pass in quick on tun1000000 dup-to (tun1000001 fec1::2) from fec0::1/64 to fec1::2/128
+pass in quick on tun1000000 from 192.168.1.1/32 to 10.1.1.1/32 dup-to (tun1000001 192.168.1.100)
+pass in quick on tun1000000 from fec0::1/64 to fec1::2/128 dup-to (tun1000001 fec1::2)
diff --git a/regress/sbin/pfctl/pf16.in b/regress/sbin/pfctl/pf16.in
index 2144562d761..43662f0afac 100644
--- a/regress/sbin/pfctl/pf16.in
+++ b/regress/sbin/pfctl/pf16.in
@@ -1,5 +1,5 @@
 # Test rule order processing: should fail unless nat -> filter
 match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
 match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22   
-binat on lo0 from 192.168.1.1 to any -> 10.0.0.1
-pass in on lo1000000 all no state
+match on lo0 from 192.168.1.1 to any binat-to 10.0.0.1
+pass in on lo1000000 from any to any no state
diff --git a/regress/sbin/pfctl/pf16.ok b/regress/sbin/pfctl/pf16.ok
index 87bdd677662..d65374a1647 100644
--- a/regress/sbin/pfctl/pf16.ok
+++ b/regress/sbin/pfctl/pf16.ok
@@ -1,4 +1,5 @@
-nat on lo0 inet from 192.168.1.1 to any -> 10.0.0.1
-rdr on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 -> 10.0.0.10 port 22
-binat on lo0 inet from 192.168.1.1 to any -> 10.0.0.1
+match out on lo0 inet from 192.168.1.1 to any nat-to 10.0.0.1
+match in on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 rdr-to 10.0.0.10 port 22
+match out on lo0 inet from 192.168.1.1 to any nat-to 10.0.0.1 static-port
+match in on lo0 inet from any to 10.0.0.1 rdr-to 192.168.1.1
 pass in on lo1000000 all no state
diff --git a/regress/sbin/pfctl/pf17.in b/regress/sbin/pfctl/pf17.in
index b725c17c7a6..37b973d7993 100644
--- a/regress/sbin/pfctl/pf17.in
+++ b/regress/sbin/pfctl/pf17.in
@@ -1,53 +1,52 @@
 # test binat
 
-no binat on lo0 from 192.168.1.1 to 10.1.2.3
-binat on lo0 from 192.168.1.1 to any -> 10.0.0.1
-binat on lo0 proto tcp from 192.168.1.2 to any -> 10.0.0.2
-binat on lo0 proto udp from 192.168.1.3 to any -> 10.0.0.3
-binat on lo0 proto icmp from 192.168.1.4 to any -> 10.0.0.4
-
-binat on lo0 from 192.168.1.5 to 172.16.1.1 -> 10.0.0.5
-binat on lo0 from 192.168.1.6 to 172.16.1.2/32 -> 10.0.0.6
-binat on lo0 from 192.168.1.7 to 172.16.2.0/24 -> 10.0.0.7
-
-binat on lo0 from 192.168.2.0/24 to any -> 10.0.5.0/24
-binat on lo0 from 192.168.2.0/28 to any -> 10.0.4.0/28
-binat on lo0 from 192.168.2.0/30 to 192.168.3.1 -> 10.0.3.0/30
-
-binat on lo0 from 192.168.1.8 to ! 172.17.0.0/16 -> 10.0.0.8
-
-binat on lo0 from 1.1.1.1 to no-route -> 2.2.2.2
-binat on lo0 from (lo0:0) to 1.1.1.1 -> 2.2.2.2
-binat on lo0 from (lo0:0) to 1.1.1.1 -> (lo1000000:0)
-binat on lo0 inet from (lo0:0) to (lo1000000:0) -> (lo1000000:0)
-binat on lo0 from 1.1.1.1 to <sometable> -> 2.2.2.2
-binat on lo0 from 1.1.1.1 to !<sometable> -> 2.2.2.2
-binat on lo0 from 1.1.1.1 to (lo1000000:0) -> 2.2.2.2
-binat on lo0 from 1.1.1.1 to !(lo1000000:0) -> 2.2.2.2
-binat on lo0 from (lo0:0) to <sometable> -> 2.2.2.2
-
-binat on lo0 from ::1 to no-route -> ::2
-binat on lo0 from (lo0:0) to ::1 -> ::2
-binat on lo0 from (lo0:0) to ::1 -> (lo1000000:0)
-binat on lo0 inet6 from (lo0:0) to (lo1000000:0) -> (lo1000000:0)
-binat on lo0 from ::1 to <sometable> -> ::2
-binat on lo0 from ::1 to !<sometable> -> ::2
-binat on lo0 from ::1 to (lo1000000:0) -> ::2
-binat on lo0 from ::1 to !(lo1000000:0) -> ::2
-binat on lo0 from (lo0:0) to <sometable> -> ::2
-
-binat on lo0 from ::1 to (lo0) -> ::1
-binat on lo0 from ::1 to (lo0:0) -> ::1
-binat on lo0 from ::1 to (lo0:peer) -> ::1
-binat on lo0 from ::1 to (lo0:peer:0) -> ::1
-binat on lo0 from ::1 to (lo0:broadcast) -> ::1
-binat on lo0 from ::1 to (lo0:broadcast:0) -> ::1
-binat on lo0 from ::1 to (lo0:network) -> ::1
-binat on lo0 from ::1 to (lo0:network:0) -> ::1
-binat on lo0 from ::1 to (lo0)/100 -> ::2
-binat on lo0 from ::1 to (lo0:0)/100 -> ::2
-binat on lo0 from ::1 to (lo0:peer)/100 -> ::2
-binat on lo0 from ::1 to (lo0:peer:0)/100 -> ::2
-
-binat on lo from (lo0:0) to ::1 -> ::2
-binat on tun from (lo0:0) to ::1 -> ::2
+match on lo0 from 192.168.1.1 to any binat-to 10.0.0.1
+match on lo0 proto tcp from 192.168.1.2 to any binat-to 10.0.0.2
+match on lo0 proto udp from 192.168.1.3 to any binat-to 10.0.0.3
+match on lo0 proto icmp from 192.168.1.4 to any binat-to 10.0.0.4
+
+match on lo0 from 192.168.1.5 to 172.16.1.1 binat-to 10.0.0.5
+match on lo0 from 192.168.1.6 to 172.16.1.2/32 binat-to 10.0.0.6
+match on lo0 from 192.168.1.7 to 172.16.2.0/24 binat-to 10.0.0.7
+
+match on lo0 from 192.168.2.0/24 to any binat-to 10.0.5.0/24
+match on lo0 from 192.168.2.0/28 to any binat-to 10.0.4.0/28
+match on lo0 from 192.168.2.0/30 to 192.168.3.1 binat-to 10.0.3.0/30
+
+match on lo0 from 192.168.1.8 to ! 172.17.0.0/16 binat-to 10.0.0.8
+
+match on lo0 from 1.1.1.1 to no-route binat-to 2.2.2.2
+match on lo0 from (lo0:0) to 1.1.1.1 binat-to 2.2.2.2
+match on lo0 from (lo0:0) to 1.1.1.1 binat-to (lo1000000:0)
+match on lo0 inet from (lo0:0) to (lo1000000:0) binat-to (lo1000000:0)
+match on lo0 from 1.1.1.1 to <sometable> binat-to 2.2.2.2
+match on lo0 from 1.1.1.1 to !<sometable> binat-to 2.2.2.2
+match on lo0 from 1.1.1.1 to (lo1000000:0) binat-to 2.2.2.2
+match on lo0 from 1.1.1.1 to !(lo1000000:0) binat-to 2.2.2.2
+match on lo0 from (lo0:0) to <sometable> binat-to 2.2.2.2
+
+match on lo0 from ::1 to no-route binat-to ::2
+match on lo0 from (lo0:0) to ::1 binat-to ::2
+match on lo0 from (lo0:0) to ::1 binat-to (lo1000000:0)
+match on lo0 inet6 from (lo0:0) to (lo1000000:0) binat-to (lo1000000:0)
+match on lo0 from ::1 to <sometable> binat-to ::2
+match on lo0 from ::1 to !<sometable> binat-to ::2
+match on lo0 from ::1 to (lo1000000:0) binat-to ::2
+match on lo0 from ::1 to !(lo1000000:0) binat-to ::2
+match on lo0 from (lo0:0) to <sometable> binat-to ::2
+
+match on lo0 from ::1 to (lo0) binat-to ::1
+match on lo0 from ::1 to (lo0:0) binat-to ::1
+match on lo0 from ::1 to (lo0:peer) binat-to ::1
+match on lo0 from ::1 to (lo0:peer:0) binat-to ::1
+match on lo0 from ::1 to (lo0:broadcast) binat-to ::1
+match on lo0 from ::1 to (lo0:broadcast:0) binat-to ::1
+match on lo0 from ::1 to (lo0:network) binat-to ::1
+match on lo0 from ::1 to (lo0:network:0) binat-to ::1
+match on lo0 from ::1 to (lo0)/100 binat-to ::2
+match on lo0 from ::1 to (lo0:0)/100 binat-to ::2
+match on lo0 from ::1 to (lo0:peer)/100 binat-to ::2
+match on lo0 from ::1 to (lo0:peer:0)/100 binat-to ::2
+
+match on lo from (lo0:0) to ::1 binat-to ::2
+match on tun from (lo0:0) to ::1 binat-to ::2
diff --git a/regress/sbin/pfctl/pf18.in b/regress/sbin/pfctl/pf18.in
index b19dcb4fb77..ab3c81f86c5 100644
--- a/regress/sbin/pfctl/pf18.in
+++ b/regress/sbin/pfctl/pf18.in
@@ -3,7 +3,6 @@
 TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }"
 TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }"
 
-no nat on lo0 from 192.168.1.1 to 10.1.2.3
 match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
 match out on lo0 proto tcp from 192.168.1.2 to any nat-to 10.0.0.2
 match out on lo0 proto udp from 192.168.1.3 to any nat-to 10.0.0.3
diff --git a/regress/sbin/pfctl/pf18.ok b/regress/sbin/pfctl/pf18.ok
index 9cefeb26b7c..6ba137ae84f 100644
--- a/regress/sbin/pfctl/pf18.ok
+++ b/regress/sbin/pfctl/pf18.ok
@@ -1,22 +1,21 @@
 TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }"
 TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }"
-no nat on lo0 inet from 192.168.1.1 to 10.1.2.3
-nat on lo0 inet from 192.168.1.1 to any -> 10.0.0.1
-nat on lo0 inet proto tcp from 192.168.1.2 to any -> 10.0.0.2
-nat on lo0 inet proto udp from 192.168.1.3 to any -> 10.0.0.3
-nat on lo0 inet proto icmp from 192.168.1.4 to any -> 10.0.0.4
-nat on lo0 inet from 192.168.1.5 to 172.6.1.1 -> 127.0.0.1
-nat on lo0 inet from 192.168.1.5 to 172.14.1.2 -> 127.0.0.1
-nat on lo0 inet from 192.168.1.5 to 172.16.2.0/24 -> 127.0.0.1
-nat on lo0 inet from 192.168.1.6 to 172.6.1.1 -> 127.0.0.1
-nat on lo0 inet from 192.168.1.6 to 172.14.1.2 -> 127.0.0.1
-nat on lo0 inet from 192.168.1.6 to 172.16.2.0/24 -> 127.0.0.1
-nat on lo0 inet from 192.168.1.7 to 172.6.1.1 -> 127.0.0.1
-nat on lo0 inet from 192.168.1.7 to 172.14.1.2 -> 127.0.0.1
-nat on lo0 inet from 192.168.1.7 to 172.16.2.0/24 -> 127.0.0.1
-nat on lo0 inet from 192.168.0.0/24 to any -> (lo0) round-robin
-nat on lo0 inet from 192.168.1.8 to ! 172.17.0.0/16 -> 10.0.0.8
-nat on ! lo0 inet proto udp all -> 10.0.0.8 static-port
-nat on ! lo0 inet proto tcp all -> 10.0.0.8 static-port
-nat on lo0 inet all -> 10.0.0.8
-nat on tun1000000 inet all -> 10.0.0.8
+match out on lo0 inet from 192.168.1.1 to any nat-to 10.0.0.1
+match out on lo0 inet proto tcp from 192.168.1.2 to any nat-to 10.0.0.2
+match out on lo0 inet proto udp from 192.168.1.3 to any nat-to 10.0.0.3
+match out on lo0 inet proto icmp from 192.168.1.4 to any nat-to 10.0.0.4
+match out on lo0 inet from 192.168.1.5 to 172.6.1.1 nat-to 127.0.0.1
+match out on lo0 inet from 192.168.1.5 to 172.14.1.2 nat-to 127.0.0.1
+match out on lo0 inet from 192.168.1.5 to 172.16.2.0/24 nat-to 127.0.0.1
+match out on lo0 inet from 192.168.1.6 to 172.6.1.1 nat-to 127.0.0.1
+match out on lo0 inet from 192.168.1.6 to 172.14.1.2 nat-to 127.0.0.1
+match out on lo0 inet from 192.168.1.6 to 172.16.2.0/24 nat-to 127.0.0.1
+match out on lo0 inet from 192.168.1.7 to 172.6.1.1 nat-to 127.0.0.1
+match out on lo0 inet from 192.168.1.7 to 172.14.1.2 nat-to 127.0.0.1
+match out on lo0 inet from 192.168.1.7 to 172.16.2.0/24 nat-to 127.0.0.1
+match out on lo0 inet from 192.168.0.0/24 to any nat-to (lo0) round-robin
+match out on lo0 inet from 192.168.1.8 to ! 172.17.0.0/16 nat-to 10.0.0.8
+match out on ! lo0 inet proto udp all nat-to 10.0.0.8 static-port
+match out on ! lo0 inet proto tcp all nat-to 10.0.0.8 static-port
+match out on lo0 inet all nat-to 10.0.0.8
+match out on tun1000000 inet all nat-to 10.0.0.8
diff --git a/regress/sbin/pfctl/pf19.in b/regress/sbin/pfctl/pf19.in
index b6ceaeaf868..5005302c6d4 100644
--- a/regress/sbin/pfctl/pf19.in
+++ b/regress/sbin/pfctl/pf19.in
@@ -3,7 +3,7 @@ GOOD = "{ lo0, lo1000000 }"
 GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
 DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
 
-rdr on lo0 proto tcp from any to 1.2.3.4/32 port 2222 -> 10.0.0.10 port 22   
+match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22   
 
 # Test list processing
-rdr on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 -> 127.0.0.1 port 8021
+match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021
diff --git a/regress/sbin/pfctl/pf19.loaded b/regress/sbin/pfctl/pf19.loaded
index a190b649d3b..07d401a7d6f 100644
--- a/regress/sbin/pfctl/pf19.loaded
+++ b/regress/sbin/pfctl/pf19.loaded
@@ -1,36 +1,36 @@
-@0 rdr on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 -> 10.0.0.10 port 22
+@0 match in on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 rdr-to 10.0.0.10 port 22
   [ Skip steps: i=5 d=end f=end p=end sp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@1 rdr on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@1 match in on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=5 d=end f=end p=end sa=3 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@2 rdr on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@2 match in on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=5 d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@3 rdr on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@3 match in on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=5 d=end f=end p=end sa=5 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@4 rdr on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@4 match in on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@5 rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@5 match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=7 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@6 rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@6 match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@7 rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@7 match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@8 rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@8 match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
diff --git a/regress/sbin/pfctl/pf19.ok b/regress/sbin/pfctl/pf19.ok
index 10202062464..a5afc374d19 100644
--- a/regress/sbin/pfctl/pf19.ok
+++ b/regress/sbin/pfctl/pf19.ok
@@ -2,12 +2,12 @@ EVIL = "lo0"
 GOOD = "{ lo0, lo1000000 }"
 GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
 DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
-rdr on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 -> 10.0.0.10 port 22
-rdr on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-rdr on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
-rdr on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-rdr on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
-rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
-rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+match in on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 rdr-to 10.0.0.10 port 22
+match in on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
diff --git a/regress/sbin/pfctl/pf19.optimized b/regress/sbin/pfctl/pf19.optimized
index a190b649d3b..07d401a7d6f 100644
--- a/regress/sbin/pfctl/pf19.optimized
+++ b/regress/sbin/pfctl/pf19.optimized
@@ -1,36 +1,36 @@
-@0 rdr on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 -> 10.0.0.10 port 22
+@0 match in on lo0 inet proto tcp from any to 1.2.3.4 port = 2222 rdr-to 10.0.0.10 port 22
   [ Skip steps: i=5 d=end f=end p=end sp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@1 rdr on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@1 match in on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=5 d=end f=end p=end sa=3 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@2 rdr on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@2 match in on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=5 d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@3 rdr on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@3 match in on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=5 d=end f=end p=end sa=5 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@4 rdr on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@4 match in on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@5 rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@5 match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=7 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@6 rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@6 match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@7 rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@7 match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@8 rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@8 match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
diff --git a/regress/sbin/pfctl/pf20.loaded b/regress/sbin/pfctl/pf20.loaded
index f79e2fecddc..f60ab43e25b 100644
--- a/regress/sbin/pfctl/pf20.loaded
+++ b/regress/sbin/pfctl/pf20.loaded
@@ -1,48 +1,48 @@
-@0 nat on lo0 inet from 127.0.0.0/24 to 1.2.3.0/25 -> 127.0.0.1
-  [ Skip steps: i=end d=end f=end p=end sa=2 sp=end dp=end ]
+@0 match out on lo0 inet from 127.0.0.0/24 to 1.2.3.0/25 nat-to 127.0.0.1
+  [ Skip steps: i=8 d=4 f=end p=4 sa=2 sp=end dp=4 ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@1 nat on lo0 inet from 127.0.0.0/24 to 2.4.6.8/30 -> 127.0.0.1
-  [ Skip steps: i=end d=end f=end p=end sp=end dp=end ]
+@1 match out on lo0 inet from 127.0.0.0/24 to 2.4.6.8/30 nat-to 127.0.0.1
+  [ Skip steps: i=8 d=4 f=end p=4 sp=end dp=4 ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@2 nat on lo0 inet from 10.0.1.0/24 to 1.2.3.0/25 -> 127.0.0.1
-  [ Skip steps: i=end d=end f=end p=end sa=end sp=end dp=end ]
+@2 match out on lo0 inet from 10.0.1.0/24 to 1.2.3.0/25 nat-to 127.0.0.1
+  [ Skip steps: i=8 d=4 f=end p=4 sa=4 sp=end dp=4 ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@3 nat on lo0 inet from 10.0.1.0/24 to 2.4.6.8/30 -> 127.0.0.1
-  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
+@3 match out on lo0 inet from 10.0.1.0/24 to 2.4.6.8/30 nat-to 127.0.0.1
+  [ Skip steps: i=8 f=end sp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@0 rdr on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-  [ Skip steps: i=4 d=end f=end p=end sa=2 sp=end dp=end ]
+@4 match in on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+  [ Skip steps: i=8 d=end f=end p=end sa=6 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@1 rdr on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
-  [ Skip steps: i=4 d=end f=end p=end sp=end dp=end ]
+@5 match in on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
+  [ Skip steps: i=8 d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@2 rdr on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-  [ Skip steps: i=4 d=end f=end p=end sa=4 sp=end dp=end ]
+@6 match in on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+  [ Skip steps: i=8 d=end f=end p=end sa=8 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@3 rdr on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@7 match in on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@4 rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-  [ Skip steps: i=end d=end f=end p=end sa=6 sp=end dp=end ]
+@8 match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+  [ Skip steps: i=end d=end f=end p=end sa=10 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@5 rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@9 match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@6 rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@10 match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@7 rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@11 match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
diff --git a/regress/sbin/pfctl/pf20.ok b/regress/sbin/pfctl/pf20.ok
index 6c941d35f89..bd2c6cf2055 100644
--- a/regress/sbin/pfctl/pf20.ok
+++ b/regress/sbin/pfctl/pf20.ok
@@ -2,15 +2,15 @@ EVIL = "lo0"
 GOOD = "{ lo0, lo1000000 }"
 GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
 DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
-nat on lo0 inet from 127.0.0.0/24 to 1.2.3.0/25 -> 127.0.0.1
-nat on lo0 inet from 127.0.0.0/24 to 2.4.6.8/30 -> 127.0.0.1
-nat on lo0 inet from 10.0.1.0/24 to 1.2.3.0/25 -> 127.0.0.1
-nat on lo0 inet from 10.0.1.0/24 to 2.4.6.8/30 -> 127.0.0.1
-rdr on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-rdr on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
-rdr on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-rdr on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
-rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
-rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+match out on lo0 inet from 127.0.0.0/24 to 1.2.3.0/25 nat-to 127.0.0.1
+match out on lo0 inet from 127.0.0.0/24 to 2.4.6.8/30 nat-to 127.0.0.1
+match out on lo0 inet from 10.0.1.0/24 to 1.2.3.0/25 nat-to 127.0.0.1
+match out on lo0 inet from 10.0.1.0/24 to 2.4.6.8/30 nat-to 127.0.0.1
+match in on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
diff --git a/regress/sbin/pfctl/pf20.optimized b/regress/sbin/pfctl/pf20.optimized
index f79e2fecddc..f60ab43e25b 100644
--- a/regress/sbin/pfctl/pf20.optimized
+++ b/regress/sbin/pfctl/pf20.optimized
@@ -1,48 +1,48 @@
-@0 nat on lo0 inet from 127.0.0.0/24 to 1.2.3.0/25 -> 127.0.0.1
-  [ Skip steps: i=end d=end f=end p=end sa=2 sp=end dp=end ]
+@0 match out on lo0 inet from 127.0.0.0/24 to 1.2.3.0/25 nat-to 127.0.0.1
+  [ Skip steps: i=8 d=4 f=end p=4 sa=2 sp=end dp=4 ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@1 nat on lo0 inet from 127.0.0.0/24 to 2.4.6.8/30 -> 127.0.0.1
-  [ Skip steps: i=end d=end f=end p=end sp=end dp=end ]
+@1 match out on lo0 inet from 127.0.0.0/24 to 2.4.6.8/30 nat-to 127.0.0.1
+  [ Skip steps: i=8 d=4 f=end p=4 sp=end dp=4 ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@2 nat on lo0 inet from 10.0.1.0/24 to 1.2.3.0/25 -> 127.0.0.1
-  [ Skip steps: i=end d=end f=end p=end sa=end sp=end dp=end ]
+@2 match out on lo0 inet from 10.0.1.0/24 to 1.2.3.0/25 nat-to 127.0.0.1
+  [ Skip steps: i=8 d=4 f=end p=4 sa=4 sp=end dp=4 ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@3 nat on lo0 inet from 10.0.1.0/24 to 2.4.6.8/30 -> 127.0.0.1
-  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
+@3 match out on lo0 inet from 10.0.1.0/24 to 2.4.6.8/30 nat-to 127.0.0.1
+  [ Skip steps: i=8 f=end sp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@0 rdr on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-  [ Skip steps: i=4 d=end f=end p=end sa=2 sp=end dp=end ]
+@4 match in on lo0 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+  [ Skip steps: i=8 d=end f=end p=end sa=6 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@1 rdr on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
-  [ Skip steps: i=4 d=end f=end p=end sp=end dp=end ]
+@5 match in on lo0 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
+  [ Skip steps: i=8 d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@2 rdr on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-  [ Skip steps: i=4 d=end f=end p=end sa=4 sp=end dp=end ]
+@6 match in on lo0 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+  [ Skip steps: i=8 d=end f=end p=end sa=8 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@3 rdr on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@7 match in on lo0 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@4 rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
-  [ Skip steps: i=end d=end f=end p=end sa=6 sp=end dp=end ]
+@8 match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
+  [ Skip steps: i=end d=end f=end p=end sa=10 sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@5 rdr on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@9 match in on lo1000000 inet proto tcp from 127.0.0.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@6 rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp -> 127.0.0.1 port 8021
+@10 match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 1.2.3.0/25 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=end sp=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
-@7 rdr on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp -> 127.0.0.1 port 8021
+@11 match in on lo1000000 inet proto tcp from 10.0.1.0/24 to 2.4.6.8/30 port = ftp rdr-to 127.0.0.1 port 8021
   [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
   [ queue: qname= qid=0 pqname= pqid=0 ]
   [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
diff --git a/regress/sbin/pfctl/pf27.ok b/regress/sbin/pfctl/pf27.ok
index d61ce87e89f..c4709f70e9b 100644
--- a/regress/sbin/pfctl/pf27.ok
+++ b/regress/sbin/pfctl/pf27.ok
@@ -1,12 +1,12 @@
-nat on lo0 inet from any to 127.0.0.1 -> 127.0.0.1
-nat on lo0 inet from 127.0.0.1 to any -> 127.0.0.1
-nat on lo0 inet from any to 127.0.0.1 -> 127.0.0.1
-nat on lo0 inet from any to 127.0.0.1 -> (lo0) round-robin
-nat on lo0 inet from 127.0.0.1 to any -> (lo0) round-robin
-nat on lo0 inet from any to (lo0) -> 127.0.0.1
-rdr on lo0 inet from any to 127.0.0.1 -> 127.0.0.1
-rdr on lo0 inet from 127.0.0.1 to any -> 127.0.0.1
-rdr on lo0 inet from any to 127.0.0.1 -> 127.0.0.1
-rdr on lo0 inet from any to 127.0.0.1 -> (lo0) round-robin
-rdr on lo0 inet from 127.0.0.1 to any -> (lo0) round-robin
-rdr on lo0 inet from any to (lo0) -> 127.0.0.1
+match out on lo0 inet from any to 127.0.0.1 nat-to 127.0.0.1
+match out on lo0 inet from 127.0.0.1 to any nat-to 127.0.0.1
+match out on lo0 inet from any to 127.0.0.1 nat-to 127.0.0.1
+match out on lo0 inet from any to 127.0.0.1 nat-to (lo0) round-robin
+match out on lo0 inet from 127.0.0.1 to any nat-to (lo0) round-robin
+match out on lo0 inet from any to (lo0) nat-to 127.0.0.1
+match in on lo0 inet from any to 127.0.0.1 rdr-to 127.0.0.1
+match in on lo0 inet from 127.0.0.1 to any rdr-to 127.0.0.1
+match in on lo0 inet from any to 127.0.0.1 rdr-to 127.0.0.1
+match in on lo0 inet from any to 127.0.0.1 rdr-to (lo0) round-robin
+match in on lo0 inet from 127.0.0.1 to any rdr-to (lo0) round-robin
+match in on lo0 inet from any to (lo0) rdr-to 127.0.0.1
diff --git a/regress/sbin/pfctl/pf29.in b/regress/sbin/pfctl/pf29.in
index a76a30ab6bb..9edbfd55335 100644
--- a/regress/sbin/pfctl/pf29.in
+++ b/regress/sbin/pfctl/pf29.in
@@ -1,3 +1,3 @@
-rdr on lo0 proto tcp from any to 192.168.0.0/24 port 8000:8010 -> 127.0.0.1 port 8000:*
-rdr on lo0 proto tcp from any to 192.168.0.0/24 port ftp:ssh -> 127.0.0.1 port bgp:*
-rdr on lo0 proto tcp from any to 192.168.0.0/24 port 1000:3000 -> 127.0.0.1 port 22
+match in on lo0 proto tcp from any to 192.168.0.0/24 port 8000:8010 rdr-to 127.0.0.1 port 8000:*
+match in on lo0 proto tcp from any to 192.168.0.0/24 port ftp:ssh rdr-to 127.0.0.1 port bgp:*
+match in on lo0 proto tcp from any to 192.168.0.0/24 port 1000:3000 rdr-to 127.0.0.1 port 22
diff --git a/regress/sbin/pfctl/pf29.ok b/regress/sbin/pfctl/pf29.ok
index c84d06984ff..d3a91157fa6 100644
--- a/regress/sbin/pfctl/pf29.ok
+++ b/regress/sbin/pfctl/pf29.ok
@@ -1,3 +1,3 @@
-rdr on lo0 inet proto tcp from any to 192.168.0.0/24 port 8000:8010 -> 127.0.0.1 port 8000:8010
-rdr on lo0 inet proto tcp from any to 192.168.0.0/24 port 21:22 -> 127.0.0.1 port 179:180
-rdr on lo0 inet proto tcp from any to 192.168.0.0/24 port 1000:3000 -> 127.0.0.1 port 22
+match in on lo0 inet proto tcp from any to 192.168.0.0/24 port 8000:8010 rdr-to 127.0.0.1 port 8000:8010
+match in on lo0 inet proto tcp from any to 192.168.0.0/24 port 21:22 rdr-to 127.0.0.1 port 179:180
+match in on lo0 inet proto tcp from any to 192.168.0.0/24 port 1000:3000 rdr-to 127.0.0.1 port 22
diff --git a/regress/sbin/pfctl/pf46.in b/regress/sbin/pfctl/pf46.in
index 833be0ad7b1..55aa9dcf9f2 100644
--- a/regress/sbin/pfctl/pf46.in
+++ b/regress/sbin/pfctl/pf46.in
@@ -1,8 +1,8 @@
-pass in on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } all
-pass out on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin all
-pass in on lo0 route-to (pflog0 127.0.0.1/24) bitmask all
-pass out on lo0 dup-to (pflog0 127.0.0.1/24) random all
-pass in on lo0 reply-to { pflog0, pflog0 } round-robin inet6 all
-pass in on lo0 reply-to (pflog0 127.0.0.0/28) source-hash 0x0123456789ABCDEF0123456789abcdef inet all 
-pass out on lo0 route-to (pflog0 127.0.0.1/24) source-hash foobarlicious all 
-pass in on lo0 dup-to (pflog0 127.0.0.1/24) round-robin all
+pass in on lo0 from any to any route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) }
+pass out on lo0 from any to any route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin
+pass in on lo0 from any to any route-to (pflog0 127.0.0.1/24) bitmask
+pass out on lo0 from any to any dup-to (pflog0 127.0.0.1/24) random
+pass in on lo0 inet6 from any to any reply-to { pflog0, pflog0 } round-robin
+pass in on lo0 inet from any to any reply-to (pflog0 127.0.0.0/28) source-hash 0x0123456789ABCDEF0123456789abcdef
+pass out on lo0 from any to any  route-to (pflog0 127.0.0.1/24) source-hash foobarlicious 
+pass in on lo0 from any to any dup-to (pflog0 127.0.0.1/24) round-robin
diff --git a/regress/sbin/pfctl/pf46.ok b/regress/sbin/pfctl/pf46.ok
index c45e1d042bf..aba21a02903 100644
--- a/regress/sbin/pfctl/pf46.ok
+++ b/regress/sbin/pfctl/pf46.ok
@@ -1,8 +1,8 @@
-pass in on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin inet all flags S/SA keep state
-pass out on lo0 route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin inet all flags S/SA keep state
-pass in on lo0 route-to (pflog0 127.0.0.0/24) bitmask inet all flags S/SA keep state
-pass out on lo0 dup-to (pflog0 127.0.0.0/24) random inet all flags S/SA keep state
-pass in on lo0 reply-to { pflog0, pflog0 } round-robin inet6 all flags S/SA keep state
-pass in on lo0 reply-to (pflog0 127.0.0.0/28) source-hash 0x0123456789abcdef0123456789abcdef inet all flags S/SA keep state
-pass out on lo0 route-to (pflog0 127.0.0.0/24) source-hash 0x4da8e393fd22f577426cfdf7fe52d3b0 inet all flags S/SA keep state
-pass in on lo0 dup-to (pflog0 127.0.0.0/24) round-robin inet all flags S/SA keep state
+pass in on lo0 inet from any to any route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin
+pass out on lo0 inet from any to any route-to { (pflog0 127.0.0.1), (pflog0 127.0.0.2) } round-robin
+pass in on lo0 inet from any to any route-to (pflog0 127.0.0.0/24) bitmask
+pass out on lo0 inet from any to any dup-to (pflog0 127.0.0.0/24) random
+pass in on lo0 inet6 from any to any reply-to { pflog0, pflog0 } round-robin
+pass in on lo0 inet from any to any reply-to (pflog0 127.0.0.0/28) source-hash 0x0123456789abcdef0123456789abcdef
+pass out on lo0 inet from any to any route-to (pflog0 127.0.0.0/24) source-hash 0x4da8e393fd22f577426cfdf7fe52d3b0
+pass in on lo0 inet from any to any dup-to (pflog0 127.0.0.0/24) round-robin
diff --git a/regress/sbin/pfctl/pf48.ok b/regress/sbin/pfctl/pf48.ok
index 9c864f2a627..aff5123c231 100644
--- a/regress/sbin/pfctl/pf48.ok
+++ b/regress/sbin/pfctl/pf48.ok
@@ -1,10 +1,10 @@
 table <regress> { 1.2.3.4 !5.6.7.8 10.0.0.0/8 127.0.0.1 ::1 fe80::1 }
 table <regress.1> const { ::1 fe80::/64 }
 table <regress.a> const { 1.2.3.4 !5.6.7.8 ::1 ::2 ::3 } file "/dev/null" { 4.3.2.1 }
-nat on lo0 inet from <regress.1> to <regress.2> -> 127.0.0.1
-nat on ! lo0 inet from ! <regress.1> to <regress.2> -> 127.0.0.1
-rdr on lo0 inet from <regress.1> to <regress.2> -> 127.0.0.1
-rdr on ! lo0 inet from ! <regress.1> to <regress.2> -> 127.0.0.1
+match out on lo0 inet from <regress.1> to <regress.2> nat-to 127.0.0.1
+match out on ! lo0 inet from ! <regress.1> to <regress.2> nat-to 127.0.0.1
+match in on lo0 inet from <regress.1> to <regress.2> rdr-to 127.0.0.1
+match in on ! lo0 inet from ! <regress.1> to <regress.2> rdr-to 127.0.0.1
 match in from <regress.1> to any
 match in from ! <regress.2> to any
 match out from any to ! <regress.1>
diff --git a/regress/sbin/pfctl/pf51.ok b/regress/sbin/pfctl/pf51.ok
index 5bbf6af7b3b..2573c2c88e3 100644
--- a/regress/sbin/pfctl/pf51.ok
+++ b/regress/sbin/pfctl/pf51.ok
@@ -2,5 +2,5 @@ set require-order no
 altq on lo0 cbq bandwidth 10Mb tbrsize 1824 queue { toad frog }
 queue toad bandwidth 1Mb 
 queue frog bandwidth 90% cbq( default ) 
-nat on lo0 inet all -> 127.0.0.1
 pass in on lo0 all flags S/SA keep state
+match out on lo0 inet all nat-to 127.0.0.1
diff --git a/regress/sbin/pfctl/pf66.ok b/regress/sbin/pfctl/pf66.ok
index d49d56af701..dc5a4600c6b 100644
--- a/regress/sbin/pfctl/pf66.ok
+++ b/regress/sbin/pfctl/pf66.ok
@@ -1,6 +1,6 @@
-nat on lo0 inet from 192.168.1.1 to any -> 10.0.0.1 port 500
-nat on lo0 inet proto tcp from 192.168.1.2 to any -> 10.0.0.2 port 1000:5000
-nat on lo0 inet proto udp from 192.168.1.3 to any -> 10.0.0.3 port 5000:1000
-nat on lo0 inet proto udp from 192.168.1.4 to any -> 10.0.0.4 port 50000
-nat on lo0 inet proto tcp from 192.168.1.2 to any -> 10.0.0.2 port 80:5000
-nat on lo0 inet proto udp from 192.168.1.3 to any -> 10.0.0.3 port 5000:80
+match out on lo0 inet from 192.168.1.1 to any nat-to 10.0.0.1 port 500
+match out on lo0 inet proto tcp from 192.168.1.2 to any nat-to 10.0.0.2 port 1000:5000
+match out on lo0 inet proto udp from 192.168.1.3 to any nat-to 10.0.0.3 port 5000:1000
+match out on lo0 inet proto udp from 192.168.1.4 to any nat-to 10.0.0.4 port 50000
+match out on lo0 inet proto tcp from 192.168.1.2 to any nat-to 10.0.0.2 port 80:5000
+match out on lo0 inet proto udp from 192.168.1.3 to any nat-to 10.0.0.3 port 5000:80
diff --git a/regress/sbin/pfctl/pf69.ok b/regress/sbin/pfctl/pf69.ok
index 3b790daf555..2bf34c04baa 100644
--- a/regress/sbin/pfctl/pf69.ok
+++ b/regress/sbin/pfctl/pf69.ok
@@ -1,2 +1,2 @@
-nat on lo0 inet all tag regress -> 127.0.0.1
+match out on lo0 inet all tag regress nat-to 127.0.0.1
 pass out quick on lo0 all flags S/SA keep state tagged regress
diff --git a/regress/sbin/pfctl/pf84.ok b/regress/sbin/pfctl/pf84.ok
index b665b24ae55..16162fc5f34 100644
--- a/regress/sbin/pfctl/pf84.ok
+++ b/regress/sbin/pfctl/pf84.ok
@@ -1,6 +1,6 @@
-nat on tun1000000 inet from 10.0.0.0/24 to any -> { 10.0.1.1, 10.0.1.2 } round-robin sticky-address
-rdr on tun1000000 inet from any to 10.0.1.1 -> 10.0.0.0/24 random sticky-address
-rdr on tun1000000 inet from any to 10.0.1.2 -> { 10.0.0.1, 10.0.0.2 } round-robin sticky-address
+match out on tun1000000 inet from 10.0.0.0/24 to any nat-to { 10.0.1.1, 10.0.1.2 } round-robin sticky-address
+match in on tun1000000 inet from any to 10.0.1.1 rdr-to 10.0.0.0/24 random sticky-address
+match in on tun1000000 inet from any to 10.0.1.2 rdr-to { 10.0.0.1, 10.0.0.2 } round-robin sticky-address
 pass in proto tcp from any to any port = ssh flags S/SA keep state (source-track global)
 pass in proto tcp from any to any port = smtp flags S/SA keep state (source-track global)
 pass in proto tcp from any to any port = www flags S/SA keep state (source-track rule, max-src-states 3, max-src-nodes 1000)
diff --git a/regress/sbin/pfctl/pf98.in b/regress/sbin/pfctl/pf98.in
index a8aa8d97cdb..bea0b7cb163 100644
--- a/regress/sbin/pfctl/pf98.in
+++ b/regress/sbin/pfctl/pf98.in
@@ -1,4 +1,4 @@
 # Test rule order processing: should pass with require-order defaulting to no.
 pass in on lo1000000 all
-nat on lo0 all -> lo0
+match out on lo0 all nat-to lo0
 
diff --git a/regress/sbin/pfctl/pf98.ok b/regress/sbin/pfctl/pf98.ok
index 13937aab2c3..f436ebb4701 100644
--- a/regress/sbin/pfctl/pf98.ok
+++ b/regress/sbin/pfctl/pf98.ok
@@ -1,2 +1,2 @@
-nat on lo0 inet all -> 127.0.0.1
 pass in on lo1000000 all flags S/SA keep state
+match out on lo0 inet all nat-to 127.0.0.1
diff --git a/regress/sbin/pfctl/pfail23.in b/regress/sbin/pfctl/pfail23.in
index 8223bf1e3c6..13450fcef45 100644
--- a/regress/sbin/pfctl/pfail23.in
+++ b/regress/sbin/pfctl/pfail23.in
@@ -7,5 +7,5 @@ pass in proto udp from any to any flags S/SA
 pass in proto { udp, icmp } from any to any flags S/SA
 
 #no routing address with matching address family found
-pass out dup-to (tun1000000 1.1.1.1) inet6 all
+pass out inet6 from any to any dup-to (tun1000000 1.1.1.1)
 
diff --git a/regress/sbin/pfctl/pfail39.in b/regress/sbin/pfctl/pfail39.in
index 705070acd75..c2cef973102 100644
--- a/regress/sbin/pfctl/pfail39.in
+++ b/regress/sbin/pfctl/pfail39.in
@@ -1,3 +1,3 @@
-binat on lo0 from 192.168.1.1 to any \
-tag faaaaaaaaaaaartoooooooooloooooooooongfaaaaaaaaaaaartoooooooooloooooooooong -> 10.0.0.1
+match on lo0 from 192.168.1.1 to any \
+tag faaaaaaaaaaaartoooooooooloooooooooongfaaaaaaaaaaaartoooooooooloooooooooong binat-to 10.0.0.1
 
diff --git a/regress/sbin/pfctl/pfopt2.in b/regress/sbin/pfctl/pfopt2.in
index fd9b2442692..1c7a039f6e6 100644
--- a/regress/sbin/pfctl/pfopt2.in
+++ b/regress/sbin/pfctl/pfopt2.in
@@ -18,7 +18,7 @@ queue pri-high priority 2
 # NAT -N
 match in on $ext_if inet from any to any rdr-to 127.0.0.1
 match out on $ext_if inet from any to any nat-to 127.0.0.1
-binat on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 -> 192.168.0.3/24 
+match on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 binat-to 192.168.0.3/24 
 
 # FILTER, -R
 pass out on $ext_if proto tcp from any to any port 22 keep state \
diff --git a/regress/sbin/pfctl/pfopt3.in b/regress/sbin/pfctl/pfopt3.in
index fd9b2442692..1c7a039f6e6 100644
--- a/regress/sbin/pfctl/pfopt3.in
+++ b/regress/sbin/pfctl/pfopt3.in
@@ -18,7 +18,7 @@ queue pri-high priority 2
 # NAT -N
 match in on $ext_if inet from any to any rdr-to 127.0.0.1
 match out on $ext_if inet from any to any nat-to 127.0.0.1
-binat on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 -> 192.168.0.3/24 
+match on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 binat-to 192.168.0.3/24 
 
 # FILTER, -R
 pass out on $ext_if proto tcp from any to any port 22 keep state \
diff --git a/regress/sbin/pfctl/pfopt5.in b/regress/sbin/pfctl/pfopt5.in
index fd9b2442692..f72b26ad088 100644
--- a/regress/sbin/pfctl/pfopt5.in
+++ b/regress/sbin/pfctl/pfopt5.in
@@ -15,12 +15,10 @@ queue pri-low priority 0
 queue pri-med priority 1 priq(default)
 queue pri-high priority 2
 
-# NAT -N
+# FILTER, -R
 match in on $ext_if inet from any to any rdr-to 127.0.0.1
 match out on $ext_if inet from any to any nat-to 127.0.0.1
-binat on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 -> 192.168.0.3/24 
-
-# FILTER, -R
+match on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 binat-to 192.168.0.3/24 
 pass out on $ext_if proto tcp from any to any port 22 keep state \
     queue(pri-med, pri-high)
 pass out on $ext_if proto tcp from any to any port 80 keep state queue pri-med
diff --git a/regress/sbin/pfctl/pfopt5.ok b/regress/sbin/pfctl/pfopt5.ok
index 48e13c6c49f..b3c26d3332f 100644
--- a/regress/sbin/pfctl/pfopt5.ok
+++ b/regress/sbin/pfctl/pfopt5.ok
@@ -2,6 +2,10 @@ ext_if = "lo0"
 set limit states 100
 set block-policy drop
 set require-order yes
+match in on lo0 inet all rdr-to 127.0.0.1
+match out on lo0 inet all nat-to 127.0.0.1
+match out on lo0 inet from 192.168.0.0/24 to 192.168.0.0/24 nat-to 192.168.0.0/24 static-port
+match in on lo0 inet from 192.168.0.0/24 to 192.168.0.0/24 rdr-to 192.168.0.0/24
 pass out on lo0 proto tcp from any to any port = ssh flags S/SA keep state queue(pri-med, pri-high)
 pass out on lo0 proto tcp from any to any port = www flags S/SA keep state queue pri-med
 pass in on lo0 proto tcp from any to any port = www flags S/SA keep state queue pri-low