invasion, tcp first before searching for an inpcb on our own, check the statekey, and skip the lookup if there is one if (m->m_pkthdr.pf.statekey) inp = ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp; when we did search, try to link it with the statekey if (m->m_pkthdr.pf.statekey && inp) { ((struct pf_state_key *)m->m_pkthdr.pf.statekey)->inp = inp; inp->inp_pf_sk = m->m_pkthdr.pf.statekey; } not shown: must break the link when either the statekey or the inp go away, of course