invade the tcp and udp stacks they have to keep track of connections they use "protocol control blocks", short pcb, prefixed by the address family (inpcb). use the pf state key to keep track for them! struct pf_state_key { struct pf_addr addr[2]; u_int16_t port[2]; sa_family_t af; u_int8_t proto; u_int8_t pad[2]; RB_ENTRY(pf_state_key) entry; struct pf_statelisthead states; struct pf_state_key *reverse; }; struct inpcb *inp;