fixup af-to regression with match rules

pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule.  essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.

positive review and comments from claudio, ok henning, sperreault

2 files changed, 13 insertions, 12 deletions

diff --git a/sbin/pfctl/parse.y b/sbin/pfctl/parse.y
index ef9de03522f..2d814d6e857 100644
--- a/sbin/pfctl/parse.y
+++ b/sbin/pfctl/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.611 2011/12/03 12:46:16 mcbride Exp $	*/
+/*	$OpenBSD: parse.y,v 1.612 2011/12/12 21:30:27 mikeb Exp $	*/
 
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -896,7 +896,6 @@ anchorrule	: ANCHOR anchorname dir quick interface af proto fromto
 
 			decide_address_family($8.src.host, &r.af);
 			decide_address_family($8.dst.host, &r.af);
-			r.naf = r.af;
 
 			expand_rule(&r, 0, $5, NULL, NULL, NULL, $7, $8.src_os,
 			    $8.src.host, $8.src.port, $8.dst.host, $8.dst.port,
@@ -1726,6 +1725,7 @@ pfrule		: action dir logquick interface af proto fromto
 					    "translation");
 					YYERROR;
 				}
+				r.rule_flag |= PFRULE_AFTO;
 			}
 			r.af = $5;
 
@@ -2012,7 +2012,6 @@ pfrule		: action dir logquick interface af proto fromto
 
 			decide_address_family($7.src.host, &r.af);
 			decide_address_family($7.dst.host, &r.af);
-			r.naf = r.af;
 
 			if ($8.route.rt) {
 				if (!r.direction) {
@@ -4194,7 +4193,7 @@ rule_consistent(struct pf_rule *r, int anchor_call)
 			   "must not be used on match rules");
 			problems++;
 		}
-		if (r->nat.addr.type != PF_ADDR_NONE && r->naf != r->af) {
+		if (r->rule_flag & PFRULE_AFTO) {
 			yyerror("af-to is not supported on match rules");
 			problems++;
 		}
@@ -4697,21 +4696,22 @@ collapse_redirspec(struct pf_pool *rpool, struct pf_rule *r,
 	struct pf_rule_addr ra;
 	int	i = 0;
 
-	if (rs && rs->af)
-		r->naf = rs->af;
-
 	if (!rs || !rs->rdr || rs->rdr->host == NULL) {
 		rpool->addr.type = PF_ADDR_NONE;
 		return (0);
 	}
 
+	if (r->rule_flag & PFRULE_AFTO)
+		r->naf = rs->af;
+
 	/* count matching addresses */
 	for (h = rs->rdr->host; h != NULL; h = h->next) {
 		if (!r->af || !h->af || rs->af || h->af == r->af) {
 			i++;
 			if (h->af && !r->af)
 				r->af = h->af;
-		}
+		} else if (r->naf && h->af == r->naf)
+			i++;
 	}
 
 	if (i == 0) {		/* no pool address */
@@ -4720,7 +4720,8 @@ collapse_redirspec(struct pf_pool *rpool, struct pf_rule *r,
 		return (1);
 	} else if (i == 1) {	/* only one address */
 		for (h = rs->rdr->host; h != NULL; h = h->next)
-			if (!h->af || !r->af || rs->af || r->af == h->af)
+			if (!h->af || !r->af || rs->af || r->af == h->af ||
+			    (r->naf && r->naf == h->af))
 				break;
 		rpool->addr = h->addr;
 		if (!allow_if && h->ifname) {
@@ -4889,7 +4890,7 @@ expand_rule(struct pf_rule *r, int keeprule, struct node_if *interfaces,
 	LOOP_THROUGH(struct node_uid, uid, uids,
 	LOOP_THROUGH(struct node_gid, gid, gids,
 
-		r->af = af;
+		r->af = r->naf = af;
 
 		error += collapse_redirspec(&r->rdr, r, rdr, 0);
 		error += collapse_redirspec(&r->nat, r, nat, 0);
diff --git a/sbin/pfctl/pfctl_parser.c b/sbin/pfctl/pfctl_parser.c
index 2fd27648d46..47bd4ce5fcb 100644
--- a/sbin/pfctl/pfctl_parser.c
+++ b/sbin/pfctl/pfctl_parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfctl_parser.c,v 1.283 2011/11/23 10:24:37 henning Exp $ */
+/*	$OpenBSD: pfctl_parser.c,v 1.284 2011/12/12 21:30:27 mikeb Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -1058,7 +1058,7 @@ print_rule(struct pf_rule *r, const char *anchor_call, int opts)
 		printf(" divert-packet port %u", ntohs(r->divert_packet.port));
 
 	if (!anchor_call[0] && r->nat.addr.type != PF_ADDR_NONE &&
-	    r->naf != r->af) {
+	    r->rule_flag & PFRULE_AFTO) {
 		printf(" af-to %s from ", r->naf == AF_INET ? "inet" : "inet6");
 		print_pool(&r->nat, r->nat.proxy_port[0],
 		    r->nat.proxy_port[1], r->naf ? r->naf : r->af,