pf: support one shot rules

Add support for one shot rules that remove themselves from an active
ruleset after match.
This is an extremely handy technique for firewall proxies.

ok henning, mcbride

Note that the FreeBSD implementation differs significantly from the OpenBSD
version due to locking differences. We do not remove the rule, but mark it as
having fired previously so we can skip it.

Obtained from: OpenBSD, mikeb <mikeb@openbsd.org>, c981122504
Obtained from: OpenBSD, sashan <sashan@openbsd.org>, a21b78cad0 (partial)
Sponsored by: Rubicon Communications, LLC ("Netgate")