>>>>> i've got these lines (machine running current from 5/4) in my
>>>>> ipf.conf:
>>>>
>>>>Please try to update your system. I imported yesterday 3.4.2, maybe that
>>>>fix your problem.
...

found the problem.  some (most?) of the tcp checksums on the packets
generated by "return-rst" were invalid.  here's a patch (vs cvs update
as of about twelve hours ago).  oh...wait.  i'll go file a pr.  :)

---------8<---------8<---------8<---------8<---------
--- ip_fil.c-orig	Fri May 12 12:14:39 2000
+++ ip_fil.c	Sat May 13 00:55:51 2000
@@ -1041,6 +1041,7 @@
 		return send_ip(m, oip, fin, hlen + sizeof(*tcp2));
 	}
 # endif
+	bzero((char *)ip, sizeof(*ip));
 	ip->ip_p = IPPROTO_TCP;
 	ip->ip_len = htons(sizeof(struct tcphdr));
 	ip->ip_src.s_addr = oip->ip_dst.s_addr;
---------8<---------8<---------8<---------8<---------

ps - i'd still like to know if should "expect" packet data logged via
ipmon to be in host byte order as opposed to network byte order.  it
makes visual comparison of packets (ipmon logs vs. tcpdump -x
elsewhere) a little harder.

oh, another question: if i "ask" for an mbuf (eg, via MGET()), am i
allowed to assume the contents are zeroed before i look at it?  i
think not, but i'm not sure.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."