Just to record this thought somewhere better than icb, what do
people think about adding a setsockopt thing for TCP which lets
you tell NetBSD how many connections per-ip it will accept ?

If NetBSD had accept filters (like FreeBSD does for http), then
it might be some sort of accept filter.

Hmmm, the only real way this would make a difference is if the
lookup to see if the n/host was being exceeded was done on behalf
of the application listening (rather than the kernel processing
the IP input queue).  ie. if it doesn't get done on behalf of the
listener then it may as well be done by ipf, right ?

Comments ?

Darren