diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h
--- a/sys/net/pfvar.h
+++ b/sys/net/pfvar.h
@@ -1675,6 +1675,9 @@
 struct pf_state_key	*pf_state_key_setup(struct pf_pdesc *, struct pf_addr *,
 			    struct pf_addr *, u_int16_t, u_int16_t);
 struct pf_state_key	*pf_state_key_clone(struct pf_state_key *);
+
+struct pfi_kkif		*pf_kkif_create(int);
+void			 pf_kkif_free(struct pfi_kkif *);
 #endif /* _KERNEL */
 
 #endif /* _NET_PFVAR_H_ */
diff --git a/sys/netpfil/pf/pf_if.c b/sys/netpfil/pf/pf_if.c
--- a/sys/netpfil/pf/pf_if.c
+++ b/sys/netpfil/pf/pf_if.c
@@ -133,7 +133,7 @@
 		nkifs++;
 
 	for (int n = 0; n < nkifs; n++) {
-		kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
+		kif = pf_kkif_create(M_WAITOK);
 		LIST_INSERT_HEAD(&kifs, kif, pfik_list);
 	}
 
@@ -193,13 +193,13 @@
 			if_rele(kif->pfik_ifp);
 			kif->pfik_ifp->if_pf_kif = NULL;
 		}
-		free(kif, PFI_MTYPE);
+		pf_kkif_free(kif);
 	}
 
 	mtx_lock(&pfi_unlnkdkifs_mtx);
 	while ((kif = LIST_FIRST(&V_pfi_unlinked_kifs))) {
 		LIST_REMOVE(kif, pfik_list);
-		free(kif, PFI_MTYPE);
+		pf_kkif_free(kif);
 	}
 	mtx_unlock(&pfi_unlnkdkifs_mtx);
 
@@ -218,6 +218,25 @@
 	EVENTHANDLER_DEREGISTER(ifaddr_event, pfi_ifaddr_event_cookie);
 }
 
+struct pfi_kkif*
+pf_kkif_create(int flags)
+{
+	struct pfi_kkif *kif;
+
+	kif = malloc(sizeof(*kif), PFI_MTYPE, flags);
+
+	return (kif);
+}
+
+void
+pf_kkif_free(struct pfi_kkif *kif)
+{
+	if (! kif)
+		return;
+
+	free(kif, PFI_MTYPE);
+}
+
 struct pfi_kkif *
 pfi_kkif_find(const char *kif_name)
 {
@@ -241,7 +260,7 @@
 
 	kif1 = pfi_kkif_find(kif_name);
 	if (kif1 != NULL) {
-		free(kif, PFI_MTYPE);
+		pf_kkif_free(kif);
 		return (kif1);
 	}
 
@@ -310,7 +329,7 @@
 	LIST_FOREACH_SAFE(kif, &V_pfi_unlinked_kifs, pfik_list, kif1) {
 		if (!(kif->pfik_flags & PFI_IFLAG_REFS)) {
 			LIST_REMOVE(kif, pfik_list);
-			free(kif, PFI_MTYPE);
+			pf_kkif_free(kif);
 		} else
 			kif->pfik_flags &= ~PFI_IFLAG_REFS;
 	}
@@ -415,7 +434,7 @@
 	if ((dyn = malloc(sizeof(*dyn), PFI_MTYPE, M_NOWAIT | M_ZERO)) == NULL)
 		return (ENOMEM);
 
-	if ((kif = malloc(sizeof(*kif), PFI_MTYPE, M_NOWAIT)) == NULL) {
+	if ((kif = pf_kkif_create(M_NOWAIT)) == NULL) {
 		free(dyn, PFI_MTYPE);
 		return (ENOMEM);
 	}
@@ -825,7 +844,7 @@
 	struct epoch_tracker et;
 	struct pfi_kkif	*p, *kif;
 
-	kif = malloc(sizeof(*kif), PFI_MTYPE, M_NOWAIT);
+	kif = pf_kkif_create(M_NOWAIT);
 	if (kif == NULL)
 		return (ENOMEM);
 
@@ -858,7 +877,7 @@
 		    p->pfik_flags == 0 && p->pfik_rulerefs == 0) {
 			/* Delete this kif. */
 			RB_REMOVE(pfi_ifhead, &V_pfi_ifs, p);
-			free(p, PFI_MTYPE);
+			pf_kkif_free(p);
 		}
 	}
 	NET_EPOCH_EXIT(et);
@@ -895,7 +914,7 @@
 		/* Avoid teardown race in the least expensive way. */
 		return;
 	}
-	kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
+	kif = pf_kkif_create(M_NOWAIT);
 	NET_EPOCH_ENTER(et);
 	PF_RULES_WLOCK();
 	pfi_attach_ifnet(ifp, kif);
@@ -950,7 +969,7 @@
 		/* Avoid teardown race in the least expensive way. */
 		return;
 	}
-	kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
+	kif = pf_kkif_create(M_WAITOK);
 	NET_EPOCH_ENTER(et);
 	PF_RULES_WLOCK();
 	pfi_attach_ifgroup(ifg, kif);
@@ -969,7 +988,7 @@
 		return;
 	}
 
-	kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
+	kif = pf_kkif_create(M_WAITOK);
 	NET_EPOCH_ENTER(et);
 	PF_RULES_WLOCK();
 	V_pfi_update++;
diff --git a/sys/netpfil/pf/pf_ioctl.c b/sys/netpfil/pf/pf_ioctl.c
--- a/sys/netpfil/pf/pf_ioctl.c
+++ b/sys/netpfil/pf/pf_ioctl.c
@@ -1837,7 +1837,7 @@
 		pf_rule_to_krule(&pr->rule, rule);
 
 		if (rule->ifname[0])
-			kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
+			kif = pf_kkif_create(M_WAITOK);
 		rule->evaluations = counter_u64_alloc(M_WAITOK);
 		for (int i = 0; i < 2; i++) {
 			rule->packets[i] = counter_u64_alloc(M_WAITOK);
@@ -1979,7 +1979,7 @@
 		counter_u64_free(rule->src_nodes);
 		free(rule, M_PFRULE);
 		if (kif)
-			free(kif, PFI_MTYPE);
+			pf_kkif_free(kif);
 		break;
 	}
 
@@ -2106,7 +2106,7 @@
 			pf_rule_to_krule(&pcr->rule, newrule);
 
 			if (newrule->ifname[0])
-				kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
+				kif = pf_kkif_create(M_WAITOK);
 			newrule->evaluations = counter_u64_alloc(M_WAITOK);
 			for (int i = 0; i < 2; i++) {
 				newrule->packets[i] =
@@ -2296,7 +2296,7 @@
 			free(newrule, M_PFRULE);
 		}
 		if (kif != NULL)
-			free(kif, PFI_MTYPE);
+			pf_kkif_free(kif);
 		break;
 	}
 
@@ -2932,12 +2932,12 @@
 		pa = malloc(sizeof(*pa), M_PFRULE, M_WAITOK);
 		pf_pooladdr_to_kpooladdr(&pp->addr, pa);
 		if (pa->ifname[0])
-			kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
+			kif = pf_kkif_create(M_WAITOK);
 		PF_RULES_WLOCK();
 		if (pp->ticket != V_ticket_pabuf) {
 			PF_RULES_WUNLOCK();
 			if (pa->ifname[0])
-				free(kif, PFI_MTYPE);
+				pf_kkif_free(kif);
 			free(pa, M_PFRULE);
 			error = EBUSY;
 			break;
@@ -3049,7 +3049,7 @@
 			newpa = malloc(sizeof(*newpa), M_PFRULE, M_WAITOK);
 			bcopy(&pca->addr, newpa, sizeof(struct pf_pooladdr));
 			if (newpa->ifname[0])
-				kif = malloc(sizeof(*kif), PFI_MTYPE, M_WAITOK);
+				kif = pf_kkif_create(M_WAITOK);
 			newpa->kif = NULL;
 		}
 #define	ERROUT(x)	{ error = (x); goto DIOCCHANGEADDR_error; }
@@ -3140,7 +3140,7 @@
 		}
 		PF_RULES_WUNLOCK();
 		if (kif != NULL)
-			free(kif, PFI_MTYPE);
+			pf_kkif_free(kif);
 		break;
 	}