smallies packets with invalid checksums are now dropped by pf; prevents return-rst/icmp on them which can be used to detect the existance of a firewall. mbuf tags are used so the checksum verification is only done once; take advantage of NICs with hardware checksum verification. state table size has a default limit of 10000 now, increase with "set limit states"