State table reorganisation Evolution by design Initial goal: end-to-end connection tracking PF states, routing, IPsec, tcp/udp all do similar lookups 2 PF state lookups done on a forwarded packet We can combine these into a single lookup A number of other improvements were obtained along the way Single 'pf_test_rules' rather than protocol-specific almost copies Improved state creation code Fix handling 'if-bound' states Deprecation of 'scrub' rules Deprecation of separate translation ruleset 'match' rules