MFC r332457:
Use cfg->nomatch_verdict as return value from NAT64LSN handler when given mbuf is considered as not matched. If mbuf was consumed or freed during handling, we must return IP_FW_DENY, since ipfw's pfil handler ipfw_check_packet() expects IP_FW_DENY when mbuf pointer is NULL. This fixes KASSERT panics when NAT64 is used with INVARIANTS. Also remove unused nomatch_final field from struct nat64lsn_cfg. Reported by: Justin Holcomb <justin at justinholcomb dot me>