I took it that this thread has turned into a discussion of IPF's handling of fragmented packets and the Linux re-ordering issue in particular.
The question that should be asked is WHY the packets are fragmented, and under what circumstances should IPF bother with frags at all.
Those who must interpose IPF on paths that use NFS over media that doesn't support large frames, should change r/wsize or force the use of TCP.
Adding complexity, longer code paths and/or memory consumption to IPF in not in the interest of the general IPF user community. (another user survey required <g>)
I'm REALLY tired people trying to turn IPF into a network-stack, content-filter and kitchen sink, rather than being just a very good packet filter.
