Is there a simple way with netfilter to do per-site TCP SYN mangling to remove the window scale option? That way sites that have window-scale corrupting firewalls could be blacklisted.