scrub


traversed the (typically short) scrub ruleset, per packet

did fragment reassembly
actually 3 different ways to do it...

mss clamping, min-ttl, clear df flag, rewrite ip id, reassemble tcp, set tos