Increasing counters on "match" rules causes the 1st packet making a
connection to be double-counted, but only for rule counters, not rules'
tables, because those are not increased at all during rule parsing. Remove
"match" rule counter handling during rule parsing, do it only in
pf_counters_inc().

NAT can be performed either by "nat" rules in the NAT ruleset or by "match"
rules. Rules before the NAT rule, and the NAT rule itself match on pre-NAT
addresses, and later rules match on post-NAT addresses. When increasing
counters go over rules in the same order as a packet would and use source
and destination addresses for updating table counters from appropriate state
key, taking into consideration on which rule NAT happens.

Use AF from state key, so that table counters can be properly updated for
af-to rules.

Synchronize match rule updating behaviour to that of OpenBSD: if rules
match, but state is not created, don't update counters.