Index: sys/net/pfil.h
===================================================================
--- sys/net/pfil.h
+++ sys/net/pfil.h
@@ -194,6 +194,10 @@
 /* Public functions to run the packet inspection by inspection points. */
 int	pfil_run_hooks(struct pfil_head *, pfil_packet_t, struct ifnet *, int,
     struct inpcb *inp);
+int	pfil_run_hooks_in(struct pfil_head *, pfil_packet_t, struct ifnet *,
+    struct inpcb *inp);
+int	pfil_run_hooks_out(struct pfil_head *, pfil_packet_t, struct ifnet *,
+    struct inpcb *inp);
 /*
  * Minimally exposed structure to avoid function call in case of absence
  * of any filters by protocols and macros to do the check.
Index: sys/net/pfil.c
===================================================================
--- sys/net/pfil.c
+++ sys/net/pfil.c
@@ -198,6 +198,42 @@
 	return (rv);
 }
 
+static __always_inline int
+pfil_run_hooks_simple(pfil_chain_t *pch, pfil_packet_t p, struct ifnet *ifp,
+    int flags, struct inpcb *inp)
+{
+	struct pfil_link *link;
+	pfil_return_t rv;
+
+	NET_EPOCH_ASSERT();
+	KASSERT(flags == PFIL_IN || flags == PFIL_OUT,
+	    ("%s: unsupported flags %d", __func__, flags));
+
+	rv = PFIL_PASS;
+	CK_STAILQ_FOREACH(link, pch, link_chain) {
+		rv = (*link->link_func)(p, ifp, flags, link->link_ruleset, inp);
+		if (rv == PFIL_DROPPED || rv == PFIL_CONSUMED)
+			break;
+	}
+	return (rv);
+}
+
+int
+pfil_run_hooks_in(struct pfil_head *head, pfil_packet_t p, struct ifnet *ifp,
+   struct inpcb *inp)
+{
+
+	return (pfil_run_hooks_simple(&head->head_in, p, ifp, PFIL_IN, inp));
+}
+
+int
+pfil_run_hooks_out(struct pfil_head *head, pfil_packet_t p, struct ifnet *ifp,
+    struct inpcb *inp)
+{
+
+	return (pfil_run_hooks_simple(&head->head_out, p, ifp, PFIL_OUT, inp));
+}
+
 /*
  * pfil_head_register() registers a pfil_head with the packet filter hook
  * mechanism.
Index: sys/netinet/ip_fastfwd.c
===================================================================
--- sys/netinet/ip_fastfwd.c
+++ sys/netinet/ip_fastfwd.c
@@ -310,7 +310,7 @@
 	if (!PFIL_HOOKED_IN(V_inet_pfil_head))
 		goto passin;
 
-	if (pfil_run_hooks(V_inet_pfil_head, &m, m->m_pkthdr.rcvif, PFIL_IN,
+	if (pfil_run_hooks_in(V_inet_pfil_head, &m, m->m_pkthdr.rcvif,
 	    NULL) != PFIL_PASS)
 		goto drop;
 
@@ -402,8 +402,8 @@
 	if (!PFIL_HOOKED_OUT(V_inet_pfil_head))
 		goto passout;
 
-	if (pfil_run_hooks(V_inet_pfil_head, &m, nh->nh_ifp,
-	    PFIL_OUT, NULL) != PFIL_PASS)
+	if (pfil_run_hooks_out(V_inet_pfil_head, &m, nh->nh_ifp,
+	    NULL) != PFIL_PASS)
 		goto drop;
 
 	M_ASSERTVALID(m);
Index: sys/netinet/ip_input.c
===================================================================
--- sys/netinet/ip_input.c
+++ sys/netinet/ip_input.c
@@ -609,7 +609,7 @@
 		goto passin;
 
 	odst = ip->ip_dst;
-	if (pfil_run_hooks(V_inet_pfil_head, &m, ifp, PFIL_IN, NULL) !=
+	if (pfil_run_hooks_in(V_inet_pfil_head, &m, ifp, NULL) !=
 	    PFIL_PASS)
 		return;
 	if (m == NULL)			/* consumed by filter */
Index: sys/netinet6/ip6_fastfwd.c
===================================================================
--- sys/netinet6/ip6_fastfwd.c
+++ sys/netinet6/ip6_fastfwd.c
@@ -164,7 +164,7 @@
 	 */
 	if (!PFIL_HOOKED_IN(V_inet6_pfil_head))
 		goto passin;
-	if (pfil_run_hooks(V_inet6_pfil_head, &m, rcvif, PFIL_IN, NULL) !=
+	if (pfil_run_hooks_in(V_inet6_pfil_head, &m, rcvif, NULL) !=
 	    PFIL_PASS)
 		goto dropin;
 	/*
@@ -214,7 +214,7 @@
 	/*
 	 * Outgoing packet firewall processing.
 	 */
-	if (pfil_run_hooks(V_inet6_pfil_head, &m, nh->nh_ifp, PFIL_OUT,
+	if (pfil_run_hooks_out(V_inet6_pfil_head, &m, nh->nh_ifp,
 	    NULL) != PFIL_PASS)
 		goto dropout;
 
Index: sys/netinet6/ip6_forward.c
===================================================================
--- sys/netinet6/ip6_forward.c
+++ sys/netinet6/ip6_forward.c
@@ -313,7 +313,7 @@
 
 	odst = ip6->ip6_dst;
 	/* Run through list of hooks for forwarded packets. */
-	if (pfil_run_hooks(V_inet6_pfil_head, &m, nh->nh_ifp, PFIL_OUT,
+	if (pfil_run_hooks_out(V_inet6_pfil_head, &m, nh->nh_ifp,
 	    NULL) != PFIL_PASS)
 		goto freecopy;
 	ip6 = mtod(m, struct ip6_hdr *);
Index: sys/netinet6/ip6_input.c
===================================================================
--- sys/netinet6/ip6_input.c
+++ sys/netinet6/ip6_input.c
@@ -731,7 +731,7 @@
 		goto passin;
 
 	odst = ip6->ip6_dst;
-	if (pfil_run_hooks(V_inet6_pfil_head, &m, m->m_pkthdr.rcvif, PFIL_IN,
+	if (pfil_run_hooks_in(V_inet6_pfil_head, &m, m->m_pkthdr.rcvif,
 	    NULL) != PFIL_PASS)
 		return;
 	ip6 = mtod(m, struct ip6_hdr *);
Index: sys/netinet6/ip6_output.c
===================================================================
--- sys/netinet6/ip6_output.c
+++ sys/netinet6/ip6_output.c
@@ -1014,7 +1014,7 @@
 
 	odst = ip6->ip6_dst;
 	/* Run through list of hooks for output packets. */
-	switch (pfil_run_hooks(V_inet6_pfil_head, &m, ifp, PFIL_OUT, inp)) {
+	switch (pfil_run_hooks_out(V_inet6_pfil_head, &m, ifp, inp)) {
 	case PFIL_PASS:
 		ip6 = mtod(m, struct ip6_hdr *);
 		break;