Hi, I have committed a patch to -current which refactors the six ways that PF finds TCP options into one new function.
I expect no side-effects, and the minor changes to finding MSS and WSCALE options that this involved were immaterial to the large sample of live traffic that I've examined. However computer networks are good at confounding expectations. If you do happen to notice problems related to MSS or WSCALE handling (used mostly by the syn{proxy,cookie} modes) please let me know. PF will now ignore these options when they fail to meet their mandatory length, as it already does the others. best, Richard.