Index: pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.1118
diff -u -p -r1.1118 pf.c
--- pf.c	1 Jun 2021 09:57:11 -0000	1.1118
+++ pf.c	21 Jun 2021 03:38:46 -0000
@@ -259,6 +259,7 @@ void			 pf_state_key_link_inpcb(struct p
 void			 pf_state_key_unlink_inpcb(struct pf_state_key *);
 void			 pf_inpcb_unlink_state_key(struct inpcb *);
 void			 pf_pktenqueue_delayed(void *);
+int32_t			 pf_state_expires(const struct pf_state *, uint8_t);
 
 #if NPFLOG > 0
 void			 pf_log_matches(struct pf_pdesc *, struct pf_rule *,
@@ -1183,7 +1184,7 @@ pf_state_export(struct pfsync_state *sp,
 	sp->rt = st->rt;
 	sp->rt_addr = st->rt_addr;
 	sp->creation = htonl(getuptime() - st->creation);
-	expire = pf_state_expires(st);
+	expire = pf_state_expires(st, st->timeout);
 	if (expire <= getuptime())
 		sp->expire = htonl(0);
 	else
@@ -1290,7 +1291,7 @@ pf_purge(void *xnloops)
 }
 
 int32_t
-pf_state_expires(const struct pf_state *state)
+pf_state_expires(const struct pf_state *state, uint8_t stimeout)
 {
 	u_int32_t	timeout;
 	u_int32_t	start;
@@ -1298,15 +1299,15 @@ pf_state_expires(const struct pf_state *
 	u_int32_t	states;
 
 	/* handle all PFTM_* > PFTM_MAX here */
-	if (state->timeout == PFTM_PURGE)
+	if (stimeout == PFTM_PURGE)
 		return (0);
 
-	KASSERT(state->timeout != PFTM_UNLINKED);
-	KASSERT(state->timeout < PFTM_MAX);
+	KASSERT(stimeout != PFTM_UNLINKED);
+	KASSERT(stimeout < PFTM_MAX);
 
-	timeout = state->rule.ptr->timeout[state->timeout];
+	timeout = state->rule.ptr->timeout[stimeout];
 	if (!timeout)
-		timeout = pf_default_rule.timeout[state->timeout];
+		timeout = pf_default_rule.timeout[stimeout];
 
 	start = state->rule.ptr->timeout[PFTM_ADAPTIVE_START];
 	if (start) {
@@ -1467,6 +1468,8 @@ pf_purge_expired_states(u_int32_t maxche
 
 	PF_STATE_ENTER_READ();
 	while (maxcheck--) {
+		uint8_t stimeout;
+
 		/* wrap to start of list when we hit the end */
 		if (cur == NULL) {
 			cur = pf_state_ref(TAILQ_FIRST(&state_list));
@@ -1477,8 +1480,9 @@ pf_purge_expired_states(u_int32_t maxche
 		/* get next state, as cur may get deleted */
 		next = TAILQ_NEXT(cur, entry_list);
 
-		if ((cur->timeout == PFTM_UNLINKED) ||
-		    (pf_state_expires(cur) <= getuptime()))
+		stimeout = cur->timeout;
+		if ((stimeout == PFTM_UNLINKED) ||
+		    (pf_state_expires(cur, stimeout) <= getuptime()))
 			SLIST_INSERT_HEAD(&gcl, cur, gc_list);
 		else
 			pf_state_unref(cur);
Index: pfvar.h
===================================================================
RCS file: /cvs/src/sys/net/pfvar.h,v
retrieving revision 1.500
diff -u -p -r1.500 pfvar.h
--- pfvar.h	10 Mar 2021 10:21:48 -0000	1.500
+++ pfvar.h	21 Jun 2021 03:38:46 -0000
@@ -1781,7 +1781,6 @@ int	pf_normalize_tcp_stateful(struct pf_
 	    int *);
 int	pf_normalize_mss(struct pf_pdesc *, u_int16_t);
 void	pf_scrub(struct mbuf *, u_int16_t, sa_family_t, u_int8_t, u_int8_t);
-int32_t	pf_state_expires(const struct pf_state *);
 void	pf_purge_expired_fragments(void);
 int	pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *,
 	    int);