tcp: improve SEG.ACK validation

Implement the improved SEG.ACK validation described in RFC 5961.
In addition to that, also detect ghost ACKs, which are ACKs for data
that has never been sent.
The additional checks are enabled by default, but can be disabled
by setting the sysctl-variable net.inet.tcp.insecure_ack to a
non-zero value.

PR: 250357
Reviewed by: Peter Lei, rscheff (older version)
Sponsored by: Netflix, Inc.
Differential Revision: https://reviews.freebsd.org/D45894

(cherry picked from commit 646c28ea80cb0f9258386626297495b5a0e56db5)