Fix use-after-free bugs in pfsync(4)

Use after free happens for state that is deleted. The reference
count is what prevents the state from being freed. When the
state is dequeued, the reference count is dropped and the memory
freed. We can't dereference the next pointer or re-queue the
state.

MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D8671