> The issue is, that we only keep track of the last time a tcp sequence number
> was rewritten. Yes, that means that current netfilter NAT code does not
> cope correctly with all cases where you have more than one packet size
> alteration per window.
Wow! But it is fatal bug.
Just do not allow to change it more then once (not for window,
you have no reliable way to estimate it, probably for 64K<<wscale),
or remember all the mapping. Argh, and in the first case it is better
to drop packets which can be mangled wrongly.
> So I'm not sure if enabling selective acknowledgements could make the
> situation worse than it is (given this precondition). At least after
> giving it some though, I cannot see how.
The situation is opposite, actually. If you mangle seq/ack wrongly,
it is fatal. But if you make a mistake in sack, nothing happens,
sacks are soft.