> /* Enforce a minimum ttl, may cause endless packet loops */
> - if (min_ttl && af == AF_INET && h->ip_ttl < min_ttl)
> + if (min_ttl && af == AF_INET && h->ip_ttl < min_ttl) {
> + old = h->ip_ttl;
> h->ip_ttl = min_ttl;
> + pf_cksum_fixup(&h->ip_sum, old, h->ip_off, 0);
copy & paste error, should be h->ip_ttl.
> /* Enforce tos */
> if (flags & PFSTATE_SETTOS) {
> - if (af == AF_INET)
> + if (af == AF_INET) {
> + old = *(u_int16_t *)h;
> h->ip_tos = tos | (h->ip_tos & IPTOS_ECN_MASK);
> + pf_cksum_fixup(&h->ip_sum, old, *(u_int16_t *)h, 0);
> + }
A comment explaining why we use h, but not h->ip_tos would be nice.
Something like
/* ip_tos is 8 bit field at offset 1. Use 16 bit value at offset 0. */
With that OK bluhm@
