fixup af-to regression with match rules

pfctl should not infer the af-to behavior from the af/naf difference.
instead, we should be clear that this is an af-to rule.  essentially
this change converts FOM_AFTO marker into a rule flag PFRULE_AFTO so
that we don't rely on ambiguous checks (like r->af != r->naf) when
setting things up.

positive review and comments from claudio, ok henning, sperreault

1 files changed, 2 insertions, 3 deletions

diff --git a/sys/net/pf_ioctl.c b/sys/net/pf_ioctl.c
index aa883ba6d14..d8b963d39b5 100644
--- a/sys/net/pf_ioctl.c
+++ b/sys/net/pf_ioctl.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf_ioctl.c,v 1.247 2011/11/29 10:17:52 dlg Exp $ */
+/*	$OpenBSD: pf_ioctl.c,v 1.248 2011/12/12 21:30:27 mikeb Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -2519,8 +2519,6 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to,
 	pf_pool_copyin(&from->rdr, &to->rdr);
 	pf_pool_copyin(&from->route, &to->route);
 
-	to->naf = from->naf;
-
 	if (pf_kif_setup(to->ifname, &to->kif))
 		return (EINVAL);
 	if (pf_kif_setup(to->rcv_ifname, &to->rcv_kif))
@@ -2603,6 +2601,7 @@ pf_rule_copyin(struct pf_rule *from, struct pf_rule *to,
 	to->match_tag_not = from->match_tag_not;
 	to->keep_state = from->keep_state;
 	to->af = from->af;
+	to->naf = from->naf;
 	to->proto = from->proto;
 	to->type = from->type;
 	to->code = from->code;