diff --git a/firewall.go b/firewall.go
index 7cf3051b..8877bd83 100644
--- a/firewall.go
+++ b/firewall.go
@@ -77,7 +77,7 @@ type firewallMetrics struct {
 }
 
 type FirewallConntrack struct {
-	sync.RWMutex
+	sync.Mutex
 
 	Conns      map[firewall.Packet]*conn
 	TimerWheel *TimerWheel[firewall.Packet]
@@ -481,9 +481,9 @@ func (f *Firewall) Destroy() {
 
 func (f *Firewall) EmitStats() {
 	conntrack := f.Conntrack
-	conntrack.RLock()
+	conntrack.Lock()
 	conntrackCount := len(conntrack.Conns)
-	conntrack.RUnlock()
+	conntrack.Unlock()
 	metrics.GetOrRegisterGauge("firewall.conntrack.count", nil).Update(int64(conntrackCount))
 	metrics.GetOrRegisterGauge("firewall.rules.version", nil).Update(int64(f.rulesVersion))
 	metrics.GetOrRegisterGauge("firewall.rules.hash", nil).Update(int64(f.GetRuleHashFNV()))
@@ -496,20 +496,6 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 		}
 	}
 	conntrack := f.Conntrack
-
-	// Fast path: RLock for lookup only
-	conntrack.RLock()
-	c, ok := conntrack.Conns[fp]
-	if !ok {
-		conntrack.RUnlock()
-		return false
-	}
-
-	// Check if we need to validate against new rules (requires write lock)
-	needsRulesCheck := c.rulesVersion != f.rulesVersion
-	conntrack.RUnlock()
-
-	// Slow path: need write lock for expiry update and possibly rules check
 	conntrack.Lock()
 
 	// Periodic purge instead of every lookup (major CPU savings)
@@ -522,14 +508,13 @@ func (f *Firewall) inConns(fp firewall.Packet, h *HostInfo, caPool *cert.CAPool,
 		}
 	}
 
-	// Re-check after acquiring write lock (entry may have been deleted)
-	c, ok = conntrack.Conns[fp]
+	c, ok := conntrack.Conns[fp]
 	if !ok {
 		conntrack.Unlock()
 		return false
 	}
 
-	if needsRulesCheck && c.rulesVersion != f.rulesVersion {
+	if c.rulesVersion != f.rulesVersion {
 		// This conntrack entry was for an older rule set, validate
 		// it still passes with the current rule set
 		table := f.OutRules
diff --git a/inside.go b/inside.go
index 6a91d82b..f7caebe2 100644
--- a/inside.go
+++ b/inside.go
@@ -47,17 +47,8 @@ func (f *Interface) consumeInsidePackets(packets [][]byte, sizes []int, count in
 	*batchPackets = (*batchPackets)[:0]
 	*batchAddrs = (*batchAddrs)[:0]
 
-	// Get pooled slice for batched encryption (reduces allocations)
-	preEncryptionBatchPtr := preEncryptionBatchPool.Get().(*[]preEncryptionPacket)
-	preEncryptionBatch := (*preEncryptionBatchPtr)[:0]
-	defer func() {
-		// Clear references to allow GC and return to pool
-		for i := range preEncryptionBatch {
-			preEncryptionBatch[i] = preEncryptionPacket{}
-		}
-		*preEncryptionBatchPtr = preEncryptionBatch[:0]
-		preEncryptionBatchPool.Put(preEncryptionBatchPtr)
-	}()
+	// Collect packets for batched encryption
+	preEncryptionBatch := make([]preEncryptionPacket, 0, count)
 
 	// Process each packet in the batch
 	for i := 0; i < count; i++ {