A couple other comments about the NetBSD version of the driver
(i suspect the FreeBSD code is likely similar but don't have time to
check right now):

1) If the "save_bad frames" bit is turned on, does that mean that the
device will pass up frames with a bad CRC to the user device?

	cbp->save_bf =		prm;	/* save bad frames */

In the presence of things like NFS servers which turn off UDP
checksums, this seems overly dangerous.

2) the following block of code appears to filter out packets which
aren't intended for this host from non-BPF packet processing:

#if NBPFILTER > 0
					if (ifp->if_bpf) {
						bpf_tap(ifp->if_bpf,
						    mtod(m, caddr_t),
						    total_len); 
						/*
						 * Only pass this packet up
						 * if it is for us.
						 */
						if ((ifp->if_flags &
						    IFF_PROMISC) &&
						    (rfa->rfa_status &
						    FXP_RFA_STATUS_IAMATCH) &&
						    (eh->ether_dhost[0] & 1)
						    == 0) {
							m_freem(m);
							goto rcvloop;
						}
					}
#endif /* NBPFILTER > 0 */

However, promiscuous mode can be turned on even if there aren't BPF
listeners, and promiscuous mode can be turned even if you don't build
BPF into the kernel..  (BPF sets IFF_PROMISC, but IFF_PROMISC can also
be set via SIOCSIFFLAGS)

Shouldn't the test be moved outside the #if NBPFILTER > 0 ?

				- Bill