Userspace TCP sequence number control?

[Jeremy Jackson <jerj@coplanar.net>]

Hello,

If there's a forum more specifically dedicated to 2.4 networking,
please point me in the right direction, otherwise please consider
the following.  (I'm on lkml so you don't need to CC: me)

Is there a way to set the sequence number sent in the SYN
response to an incoming connnection request (an incoming
SYN) to a specific value with listen()?

It may sound like a security risk, but consider the problem
of trying to do http load balancing using 2.4 netfilter,
(ie in kernel, packet/conntrack-based) but trying to maintain session
affinity
to a specific backend server.

Clearly, the load balancer must open a http (and thus TCP)
connection to determine the client that is connecting, in order
to determine which back-end server is already servicing
the user session.   Typically, from this point on, the load balancer
must just copy the data back and forth between the socket
connected to the client and another socket.  This could be
userspace or kernelspace, but it's copying either way.

What if the connection could be handed off via
DNAT *after* it had been established?  The load
balancer could establish a connection with the backend
server, posing as the client, setup an iptable entry
directing the client connection's packets to the
backend server, then close it's connection
(somehow without sending FIN)...

the (big) part missing is that the backend server's
sequence number will differ from the one used
by the load-balancer.  (whereas the load balancer
can just copy the last sequence number recieved
by the client)

Does this functionality exist already?  Or can
iptables re-write the sequence numbers ?
(Cisco's PIX does this to re-randomize them
for hosts inside firewall that have poor random
number generation)

Am I talking crazy talk already?
(I know I should research the tunneling
method more)

Regards,

Jeremy