What can we improve?
Performance

end-to-end connection tracking
pf states, routing, ipsec, tcp/udp all do similar lookups
2 pf state lookups done on a forwarded packet
we can combine these into a single lookup

A bigger problem is "worst-case" performance: what happens when many
small packets traverse the entire ruleset and then create state.
this is extremely difficult to deal with
optimisation helps, so improve optimiser