convert a bunch of rdr/nat rules to the new syntax

Things still need to be changed for route-to/binat/command line
options among other things.

ok henning

20 files changed, 80 insertions, 80 deletions

diff --git a/regress/sbin/pfctl/pf16.in b/regress/sbin/pfctl/pf16.in
index 84f28cd6914..2144562d761 100644
--- a/regress/sbin/pfctl/pf16.in
+++ b/regress/sbin/pfctl/pf16.in
@@ -1,5 +1,5 @@
 # Test rule order processing: should fail unless nat -> filter
-nat on lo0 from 192.168.1.1 to any -> 10.0.0.1
-rdr on lo0 proto tcp from any to 1.2.3.4/32 port 2222 -> 10.0.0.10 port 22   
+match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
+match in on lo0 proto tcp from any to 1.2.3.4/32 port 2222 rdr-to 10.0.0.10 port 22   
 binat on lo0 from 192.168.1.1 to any -> 10.0.0.1
 pass in on lo1000000 all no state
diff --git a/regress/sbin/pfctl/pf18.in b/regress/sbin/pfctl/pf18.in
index 9d19f7593e4..b19dcb4fb77 100644
--- a/regress/sbin/pfctl/pf18.in
+++ b/regress/sbin/pfctl/pf18.in
@@ -4,17 +4,17 @@ TEST_LIST1 = "{ 192.168.1.5, 192.168.1.6, 192.168.1.7 }"
 TEST_LIST2 = "{ 172.6.1.1, 172.14.1.2/32, 172.16.2.0/24 }"
 
 no nat on lo0 from 192.168.1.1 to 10.1.2.3
-nat on lo0 from 192.168.1.1 to any -> 10.0.0.1
-nat on lo0 proto tcp from 192.168.1.2 to any -> 10.0.0.2
-nat on lo0 proto udp from 192.168.1.3 to any -> 10.0.0.3
-nat on lo0 proto icmp from 192.168.1.4 to any -> 10.0.0.4
+match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1
+match out on lo0 proto tcp from 192.168.1.2 to any nat-to 10.0.0.2
+match out on lo0 proto udp from 192.168.1.3 to any nat-to 10.0.0.3
+match out on lo0 proto icmp from 192.168.1.4 to any nat-to 10.0.0.4
 
-nat on lo0 inet from $TEST_LIST1 to $TEST_LIST2 -> lo0
+match out on lo0 inet from $TEST_LIST1 to $TEST_LIST2 nat-to lo0
 
-nat on lo0 inet from 192.168.0.1/24 to any -> (lo0)
+match out on lo0 inet from 192.168.0.1/24 to any nat-to (lo0)
 
-nat on lo0 from 192.168.1.8 to ! 172.17.0.0/16 -> 10.0.0.8
+match out on lo0 from 192.168.1.8 to ! 172.17.0.0/16 nat-to 10.0.0.8
 
-nat on ! lo0 proto { udp, tcp } from any to any -> 10.0.0.8 static-port
+match out on ! lo0 proto { udp, tcp } from any to any nat-to 10.0.0.8 static-port
 
-nat on { lo0, tun1000000 } from any to any -> 10.0.0.8
+match out on { lo0, tun1000000 } from any to any nat-to 10.0.0.8
diff --git a/regress/sbin/pfctl/pf20.in b/regress/sbin/pfctl/pf20.in
index 73438d467aa..c973785bc9c 100644
--- a/regress/sbin/pfctl/pf20.in
+++ b/regress/sbin/pfctl/pf20.in
@@ -5,5 +5,5 @@ GOOD = "{ lo0, lo1000000 }"
 GOOD_NET = "{ 127.0.0.0/24, 10.0.1.0/24 }"
 DEST_NET = "{ 1.2.3.4/25, 2.4.6.8/30 }"
 
-nat on $EVIL inet from $GOOD_NET to $DEST_NET -> $EVIL
-rdr on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 -> 127.0.0.1 port 8021
+match out on $EVIL inet from $GOOD_NET to $DEST_NET nat-to $EVIL
+match in on $GOOD proto tcp from $GOOD_NET to $DEST_NET port 21 rdr-to 127.0.0.1 port 8021
diff --git a/regress/sbin/pfctl/pf27.in b/regress/sbin/pfctl/pf27.in
index 5b57cbaf8e0..d39da58c4fb 100644
--- a/regress/sbin/pfctl/pf27.in
+++ b/regress/sbin/pfctl/pf27.in
@@ -1,17 +1,17 @@
 # test af detection logic
 
-nat on lo0 from any to 127.0.0.1 -> lo0
-nat on lo0 from 127.0.0.1 to any -> lo0
-nat on lo0 from any to lo0 -> 127.0.0.1
+match out on lo0 from any to 127.0.0.1 nat-to lo0
+match out on lo0 from 127.0.0.1 to any nat-to lo0
+match out on lo0 from any to lo0 nat-to 127.0.0.1
 
-nat on lo0 from any to 127.0.0.1 -> (lo0)
-nat on lo0 from 127.0.0.1 to any -> (lo0)
-nat on lo0 from any to (lo0) -> 127.0.0.1
+match out on lo0 from any to 127.0.0.1 nat-to (lo0)
+match out on lo0 from 127.0.0.1 to any nat-to (lo0)
+match out on lo0 from any to (lo0) nat-to 127.0.0.1
 
-rdr on lo0 from any to 127.0.0.1 -> lo0
-rdr on lo0 from 127.0.0.1 to any -> lo0
-rdr on lo0 from any to lo0 -> 127.0.0.1
+match in on lo0 from any to 127.0.0.1 rdr-to lo0
+match in on lo0 from 127.0.0.1 to any rdr-to lo0
+match in on lo0 from any to lo0 rdr-to 127.0.0.1
 
-rdr on lo0 from any to 127.0.0.1 -> (lo0)
-rdr on lo0 from 127.0.0.1 to any -> (lo0)
-rdr on lo0 from any to (lo0) -> 127.0.0.1
+match in on lo0 from any to 127.0.0.1 rdr-to (lo0)
+match in on lo0 from 127.0.0.1 to any rdr-to (lo0)
+match in on lo0 from any to (lo0) rdr-to 127.0.0.1
diff --git a/regress/sbin/pfctl/pf36.in b/regress/sbin/pfctl/pf36.in
index 7071f843847..bc7d7c7b884 100644
--- a/regress/sbin/pfctl/pf36.in
+++ b/regress/sbin/pfctl/pf36.in
@@ -1,17 +1,17 @@
 # test nat pools syntax
 
-nat on lo0 from any to 127.0.0.1 -> { 127.0.0.1, 127.0.0.2 }
-nat on lo0 from any to 127.0.0.1 -> { 127.0.0.1, 127.0.0.2 } round-robin
-nat on lo0 from any to 127.0.0.1 -> lo0/24 bitmask static-port
-nat on lo0 from any to 127.0.0.1 -> lo0/24 random
-nat on lo0 from any to lo0 -> 127.0.0.1/24 source-hash 0x0123456789ABCDEF0123456789abcdef
-nat on lo0 from any to 127.0.0.1 -> lo0/24 source-hash foobarlicious
-nat on lo0 from any to 127.0.0.1 -> lo0/24 round-robin
+match out on lo0 from any to 127.0.0.1 nat-to { 127.0.0.1, 127.0.0.2 }
+match out on lo0 from any to 127.0.0.1 nat-to { 127.0.0.1, 127.0.0.2 } round-robin
+match out on lo0 from any to 127.0.0.1 nat-to lo0/24 bitmask static-port
+match out on lo0 from any to 127.0.0.1 nat-to lo0/24 random
+match out on lo0 from any to lo0 nat-to 127.0.0.1/24 source-hash 0x0123456789ABCDEF0123456789abcdef
+match out on lo0 from any to 127.0.0.1 nat-to lo0/24 source-hash foobarlicious
+match out on lo0 from any to 127.0.0.1 nat-to lo0/24 round-robin
 
-rdr on lo0 from any to lo0 -> { 127.0.0.1, 127.0.0.2 }
-rdr on lo0 from any to lo0 -> { 127.0.0.1, 127.0.0.2 } round-robin
-rdr on lo0 from any to lo0 -> 127.0.0.1/24 bitmask
-rdr on lo0 from any to lo0 -> 127.0.0.1/24 random
-rdr on lo0 from any to 127.0.0.1 -> lo0/24 source-hash 0x0123456789ABCDEF0123456789abcdef
-rdr on lo0 from any to lo0 -> 127.0.0.1/24 source-hash foobarlicious
-rdr on lo0 from any to lo0 -> 127.0.0.1/24 round-robin
+match in on lo0 from any to lo0 rdr-to { 127.0.0.1, 127.0.0.2 }
+match in on lo0 from any to lo0 rdr-to { 127.0.0.1, 127.0.0.2 } round-robin
+match in on lo0 from any to lo0 rdr-to 127.0.0.1/24 bitmask
+match in on lo0 from any to lo0 rdr-to 127.0.0.1/24 random
+match in on lo0 from any to 127.0.0.1 rdr-to lo0/24 source-hash 0x0123456789ABCDEF0123456789abcdef
+match in on lo0 from any to lo0 rdr-to 127.0.0.1/24 source-hash foobarlicious
+match in on lo0 from any to lo0 rdr-to 127.0.0.1/24 round-robin
diff --git a/regress/sbin/pfctl/pf48.in b/regress/sbin/pfctl/pf48.in
index 6605dc7ed1a..943970980d9 100644
--- a/regress/sbin/pfctl/pf48.in
+++ b/regress/sbin/pfctl/pf48.in
@@ -1,10 +1,10 @@
 table < regress > { 1.2.3.4 !5.6.7.8 10/8 lo0 }
 table <regress.1> const { ::1 fe80::/64 }
 table <regress.a> { 1.2.3.4 !5.6.7.8 } { ::1 ::2 ::3 } file "/dev/null" const { 4.3.2.1 }
-nat on lo0 from < regress.1> to <regress.2> -> lo0
-nat on !lo0 from !<regress.1 > to <regress.2> -> lo0
-rdr on lo0 from <regress.1> to <regress.2> -> lo0
-rdr on !lo0 from !< regress.1 > to <regress.2> -> lo0
+match out on lo0 from < regress.1> to <regress.2> nat-to lo0
+match out on !lo0 from !<regress.1 > to <regress.2> nat-to lo0
+match in on lo0 from <regress.1> to <regress.2> rdr-to lo0
+match in on !lo0 from !< regress.1 > to <regress.2> rdr-to lo0
 match in from { <regress.1> !<regress.2> } to any
 match out from any to { !<regress.1>, <regress.2> }
 pass in from <regress> to any
diff --git a/regress/sbin/pfctl/pf51.in b/regress/sbin/pfctl/pf51.in
index 027cb3cefc8..542d4089163 100644
--- a/regress/sbin/pfctl/pf51.in
+++ b/regress/sbin/pfctl/pf51.in
@@ -2,7 +2,7 @@
 
 pass in on lo0 all
 set require-order no
-nat on lo0 from any to any -> 127.0.0.1
+match out on lo0 from any to any nat-to 127.0.0.1
 altq on lo0 tbrsize 1824 cbq bandwidth 10Mb queue { toad, frog }
 queue toad bandwidth 1Mb
 queue frog bandwidth 90% cbq(default)
diff --git a/regress/sbin/pfctl/pf66.in b/regress/sbin/pfctl/pf66.in
index 1be348f9503..5b9323aa249 100644
--- a/regress/sbin/pfctl/pf66.in
+++ b/regress/sbin/pfctl/pf66.in
@@ -1,10 +1,10 @@
 # test specified nat translation ports
 
-nat on lo0 from 192.168.1.1 to any -> 10.0.0.1 port 500
-nat on lo0 proto tcp from 192.168.1.2 to any -> 10.0.0.2 port 1000:5000
-nat on lo0 proto udp from 192.168.1.3 to any -> 10.0.0.3 port 5000:1000
-nat on lo0 proto udp from 192.168.1.4 to any -> 10.0.0.4 port 50000:50000
-nat on lo0 proto tcp from 192.168.1.2 to any -> 10.0.0.2 port www:5000
-nat on lo0 proto udp from 192.168.1.3 to any -> 10.0.0.3 port 5000:www
+match out on lo0 from 192.168.1.1 to any nat-to 10.0.0.1 port 500
+match out on lo0 proto tcp from 192.168.1.2 to any nat-to 10.0.0.2 port 1000:5000
+match out on lo0 proto udp from 192.168.1.3 to any nat-to 10.0.0.3 port 5000:1000
+match out on lo0 proto udp from 192.168.1.4 to any nat-to 10.0.0.4 port 50000:50000
+match out on lo0 proto tcp from 192.168.1.2 to any nat-to 10.0.0.2 port www:5000
+match out on lo0 proto udp from 192.168.1.3 to any nat-to 10.0.0.3 port 5000:www
 
 
diff --git a/regress/sbin/pfctl/pf69.in b/regress/sbin/pfctl/pf69.in
index a795a9af3e3..059bc304678 100644
--- a/regress/sbin/pfctl/pf69.in
+++ b/regress/sbin/pfctl/pf69.in
@@ -1,3 +1,3 @@
-nat on lo0 inet all tag regress -> lo0
+match out on lo0 inet all tag regress nat-to lo0
 pass out quick on lo0 keep state tagged regress
 
diff --git a/regress/sbin/pfctl/pf84.in b/regress/sbin/pfctl/pf84.in
index bcccec9d179..17140a786d7 100644
--- a/regress/sbin/pfctl/pf84.in
+++ b/regress/sbin/pfctl/pf84.in
@@ -1,9 +1,9 @@
-nat on tun1000000 from 10.0.0.0/24 to any \
-	-> { 10.0.1.1, 10.0.1.2 } round-robin sticky-address
-rdr on tun1000000 from any to 10.0.1.1 \
-	-> { 10.0.0.0/24 } sticky-address random
-rdr on tun1000000 from any to 10.0.1.2 \
-	-> { 10.0.0.1, 10.0.0.2 } sticky-address
+match out on tun1000000 from 10.0.0.0/24 to any \
+	nat-to { 10.0.1.1, 10.0.1.2 } round-robin sticky-address
+match in on tun1000000 from any to 10.0.1.1 \
+	rdr-to { 10.0.0.0/24 } sticky-address random
+match in on tun1000000 from any to 10.0.1.2 \
+	rdr-to { 10.0.0.1, 10.0.0.2 } sticky-address
 
 pass in proto tcp from any to any port 22 \
 	keep state (source-track)
diff --git a/regress/sbin/pfctl/pfail10.in b/regress/sbin/pfctl/pfail10.in
index b73049ef418..996bdd2dbec 100644
--- a/regress/sbin/pfctl/pfail10.in
+++ b/regress/sbin/pfctl/pfail10.in
@@ -1,5 +1,5 @@
 # Test rule order processing: should fail unless nat -> filter
 set require-order yes
 pass in on lo1000000 all
-nat on lo0 all -> lo0
+match out on lo0 all nat-to lo0
 
diff --git a/regress/sbin/pfctl/pfail19.in b/regress/sbin/pfctl/pfail19.in
index 1d5ed147d6a..81da3eb6fa5 100644
--- a/regress/sbin/pfctl/pfail19.in
+++ b/regress/sbin/pfctl/pfail19.in
@@ -1,6 +1,6 @@
 # invalid table constructs
-rdr on lo0 from any to any -> <sometable>
-nat on lo0 from any to any -> <sometable>
+match in on lo0 from any to any rdr-to <sometable>
+match out on lo0 from any to any nat-to <sometable>
 binat on lo0 from 1.1.1.1 to any -> <sometable>
 binat on lo0 from <sometable> to any -> 1.1.1.1 
 pass in dup-to (lo0 <sometable>) all
diff --git a/regress/sbin/pfctl/pfail20.in b/regress/sbin/pfctl/pfail20.in
index 5a00a0752f9..faefcdf4287 100644
--- a/regress/sbin/pfctl/pfail20.in
+++ b/regress/sbin/pfctl/pfail20.in
@@ -1,6 +1,6 @@
 # dynamic interface expansion has limitations; and NAT stuff must be af uniq
 
-rdr on lo0 from any to any -> (lo0)
-nat on lo0 from (lo0) to any -> (lo0)
-rdr on lo0 inet6 from 10.0.0.1 -> (lo0)
- 
\ No newline at end of file
+match in on lo0 from any to any rdr-to (lo0)
+match out on lo0 from (lo0) to any nat-to (lo0)
+match in on lo0 inet6 from 10.0.0.1 rdr-to (lo0)
+ 
diff --git a/regress/sbin/pfctl/pfail41.in b/regress/sbin/pfctl/pfail41.in
index 92fd71ba7e3..11f85ab07ee 100644
--- a/regress/sbin/pfctl/pfail41.in
+++ b/regress/sbin/pfctl/pfail41.in
@@ -1,3 +1,3 @@
 # we have to bail out on host() errors
-nat on lo0 from any to 10/8 -> 10.0.0.0.1
+match out on lo0 from any to 10/8 nat-to 10.0.0.0.1
 
diff --git a/regress/sbin/pfctl/pfail49.in b/regress/sbin/pfctl/pfail49.in
index f5463f1822f..0dc18914aba 100644
--- a/regress/sbin/pfctl/pfail49.in
+++ b/regress/sbin/pfctl/pfail49.in
@@ -1,10 +1,10 @@
 # dynamic interfaces need not exist at load-time, but names must start
 # with a letter. catches common macro typo cases of ($ext_ip) vs. ($ext_if)
 
-nat on lo0 from any to any -> (lo0)
-nat on lo0 from any to any -> (lo0:0)
-nat on lo0 from any to any -> (nonexistent0)
-nat on lo0 from any to any -> (nonexistent0:0)
-nat on lo0 from any to any -> (10.1.2.3)
-nat on lo0 from any to any -> (10.1.2.3:0)
+match out on lo0 from any to any nat-to (lo0)
+match out on lo0 from any to any nat-to (lo0:0)
+match out on lo0 from any to any nat-to (nonexistent0)
+match out on lo0 from any to any nat-to (nonexistent0:0)
+match out on lo0 from any to any nat-to (10.1.2.3)
+match out on lo0 from any to any nat-to (10.1.2.3:0)
 
diff --git a/regress/sbin/pfctl/pfail9.in b/regress/sbin/pfctl/pfail9.in
index 88109f8e4c5..0b3ecda8cfb 100644
--- a/regress/sbin/pfctl/pfail9.in
+++ b/regress/sbin/pfctl/pfail9.in
@@ -3,5 +3,5 @@ set require-order yes
 match in on lo0 all
 pass in on lo1000000 all
 # bork
-nat on lo0 all -> lo0
+match out on lo0 all nat-to lo0
 
diff --git a/regress/sbin/pfctl/pfopt2.in b/regress/sbin/pfctl/pfopt2.in
index 1bad361f858..fd9b2442692 100644
--- a/regress/sbin/pfctl/pfopt2.in
+++ b/regress/sbin/pfctl/pfopt2.in
@@ -16,8 +16,8 @@ queue pri-med priority 1 priq(default)
 queue pri-high priority 2
 
 # NAT -N
-rdr on $ext_if inet from any to any -> 127.0.0.1
-nat on $ext_if inet from any to any -> 127.0.0.1
+match in on $ext_if inet from any to any rdr-to 127.0.0.1
+match out on $ext_if inet from any to any nat-to 127.0.0.1
 binat on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 -> 192.168.0.3/24 
 
 # FILTER, -R
diff --git a/regress/sbin/pfctl/pfopt3.in b/regress/sbin/pfctl/pfopt3.in
index 1bad361f858..fd9b2442692 100644
--- a/regress/sbin/pfctl/pfopt3.in
+++ b/regress/sbin/pfctl/pfopt3.in
@@ -16,8 +16,8 @@ queue pri-med priority 1 priq(default)
 queue pri-high priority 2
 
 # NAT -N
-rdr on $ext_if inet from any to any -> 127.0.0.1
-nat on $ext_if inet from any to any -> 127.0.0.1
+match in on $ext_if inet from any to any rdr-to 127.0.0.1
+match out on $ext_if inet from any to any nat-to 127.0.0.1
 binat on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 -> 192.168.0.3/24 
 
 # FILTER, -R
diff --git a/regress/sbin/pfctl/pfopt4.in b/regress/sbin/pfctl/pfopt4.in
index 1bad361f858..fd9b2442692 100644
--- a/regress/sbin/pfctl/pfopt4.in
+++ b/regress/sbin/pfctl/pfopt4.in
@@ -16,8 +16,8 @@ queue pri-med priority 1 priq(default)
 queue pri-high priority 2
 
 # NAT -N
-rdr on $ext_if inet from any to any -> 127.0.0.1
-nat on $ext_if inet from any to any -> 127.0.0.1
+match in on $ext_if inet from any to any rdr-to 127.0.0.1
+match out on $ext_if inet from any to any nat-to 127.0.0.1
 binat on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 -> 192.168.0.3/24 
 
 # FILTER, -R
diff --git a/regress/sbin/pfctl/pfopt5.in b/regress/sbin/pfctl/pfopt5.in
index 1bad361f858..fd9b2442692 100644
--- a/regress/sbin/pfctl/pfopt5.in
+++ b/regress/sbin/pfctl/pfopt5.in
@@ -16,8 +16,8 @@ queue pri-med priority 1 priq(default)
 queue pri-high priority 2
 
 # NAT -N
-rdr on $ext_if inet from any to any -> 127.0.0.1
-nat on $ext_if inet from any to any -> 127.0.0.1
+match in on $ext_if inet from any to any rdr-to 127.0.0.1
+match out on $ext_if inet from any to any nat-to 127.0.0.1
 binat on $ext_if inet from 192.168.0.0/24 to 192.168.0.1/24 -> 192.168.0.3/24 
 
 # FILTER, -R