pf: delay taking the rules lock in pf_test()

We don't need the rules lock to protect the mbuf, or even the kif. If an
interface is removed (which is the only way for a kif to go away) we're not
going to receive traffic on it.

We can't delay taking the lock more, because pf_setup_pdesc() calls the
normalisation code, which iterates the scrub rules. If we ever get rid of those
(as OpenBSD has) it should be possible to delay taking the rules lock until we
actually need to iterate of the rules. That is, we might be able to avoid taking
it at all if we match an existing state.

Reviewed by: glebius
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D51329