pfsync_update_net_tdb() is only called by pfsync_input() which already runs at IPL_SOFTNET. So trade the spl dance for an assert, ok?
Index: net/if_pfsync.c =================================================================== RCS file: /cvs/src/sys/net/if_pfsync.c,v retrieving revision 1.239 diff -u -p -r1.239 if_pfsync.c --- net/if_pfsync.c 19 Dec 2016 15:46:28 -0000 1.239 +++ net/if_pfsync.c 19 Jan 2017 03:52:57 -0000 @@ -1164,7 +1164,8 @@ void pfsync_update_net_tdb(struct pfsync_tdb *pt) { struct tdb *tdb; - int s; + + splsoftassert(IPL_SOFTNET); /* check for invalid values */ if (ntohl(pt->spi) <= SPI_RESERVED_MAX || @@ -1172,7 +1173,6 @@ pfsync_update_net_tdb(struct pfsync_tdb pt->dst.sa.sa_family != AF_INET6)) goto bad; - s = splsoftnet(); tdb = gettdb(ntohs(pt->rdomain), pt->spi, (union sockaddr_union *)&pt->dst, pt->sproto); if (tdb) { @@ -1182,14 +1182,12 @@ pfsync_update_net_tdb(struct pfsync_tdb /* Neither replay nor byte counter should ever decrease. */ if (pt->rpl < tdb->tdb_rpl || pt->cur_bytes < tdb->tdb_cur_bytes) { - splx(s); goto bad; } tdb->tdb_rpl = pt->rpl; tdb->tdb_cur_bytes = pt->cur_bytes; } - splx(s); return; bad: