Index: sys/net/npf/npf_conn.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_conn.c,v
retrieving revision 1.23
diff -p -u -r1.23 npf_conn.c
--- sys/net/npf/npf_conn.c	29 Jan 2017 00:15:54 -0000	1.23
+++ sys/net/npf/npf_conn.c	4 Nov 2017 17:04:13 -0000
@@ -727,7 +727,8 @@ npf_conn_pass(const npf_conn_t *con, npf
 {
 	KASSERT(con->c_refcnt > 0);
 	if (__predict_true(con->c_flags & CONN_PASS)) {
-		*mi = con->c_mi;
+		mi->mi_rid = con->c_rid;
+		mi->mi_retfl = con->c_retfl;
 		*rp = con->c_rproc;
 		return true;
 	}
@@ -752,8 +753,10 @@ npf_conn_setpass(npf_conn_t *con, const 
 	 */
 	atomic_or_uint(&con->c_flags, CONN_PASS);
 	con->c_rproc = rp;
-	if (rp)
-		con->c_mi = *mi;
+	if (rp) {
+		con->c_rid = mi->mi_rid;
+		con->c_retfl = mi->mi_retfl;
+	}
 }
 
 /*
Index: sys/net/npf/npf_conn.h
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_conn.h,v
retrieving revision 1.12
diff -p -u -r1.12 npf_conn.h
--- sys/net/npf/npf_conn.h	29 Jan 2017 00:15:54 -0000	1.12
+++ sys/net/npf/npf_conn.h	4 Nov 2017 17:04:13 -0000
@@ -88,7 +88,11 @@ struct npf_conn {
 	npf_state_t		c_state;
 	u_int			c_refcnt;
 	uint64_t		c_atime;
-	npf_match_info_t	c_mi;
+	/*
+	 * matching rule id and flags
+	 */
+	uint64_t		c_rid;
+	u_int			c_retfl;
 };
 
 #endif
Index: sys/net/npf/npf_ext_normalize.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_ext_normalize.c,v
retrieving revision 1.5
diff -p -u -r1.5 npf_ext_normalize.c
--- sys/net/npf/npf_ext_normalize.c	29 Jan 2017 00:15:54 -0000	1.5
+++ sys/net/npf/npf_ext_normalize.c	4 Nov 2017 17:04:13 -0000
@@ -147,7 +147,7 @@ npf_normalize(npf_cache_t *npc, void *pa
     int *decision)
 {
 	npf_normalize_t *np = params;
-	struct tcphdr *th = npc->npc_l4.tcp;
+	struct tcphdr *th;
 	uint16_t cksum, mss, maxmss = np->n_maxmss;
 	int wscale;
 
@@ -165,6 +165,7 @@ npf_normalize(npf_cache_t *npc, void *pa
 	 * TCP Maximum Segment Size (MSS) "clamping".  Only if SYN packet.
 	 * Fetch MSS and check whether rewrite to lower is needed.
 	 */
+	th = npc->npc_l4.tcp;
 	if (maxmss == 0 || !npf_iscached(npc, NPC_TCP) ||
 	    (th->th_flags & TH_SYN) == 0) {
 		/* Not required; done. */
@@ -182,8 +183,17 @@ npf_normalize(npf_cache_t *npc, void *pa
 
 	/* Store new MSS, calculate TCP checksum and update it. */
 	if (npf_fetch_tcpopts(npc, &maxmss, &wscale)) {
-		cksum = npf_fixup16_cksum(th->th_sum, mss, maxmss);
-		th->th_sum = cksum;
+		/*
+		 * Fix checksum for incoming packets, the checksum
+		 * for outgoing packets is deferred.
+		 *
+		 * XXX what about checksum offloading for input?
+		 */
+		if (mi->mi_di & PFIL_IN) {
+			th = npc->npc_l4.tcp;
+			cksum = npf_fixup16_cksum(th->th_sum, mss, maxmss);
+			th->th_sum = cksum;
+		}
 	}
 
 	return true;