[... Jason Thorpe spots all the things I was hoping to postpone
     for a while.... ] 

I knew I should've mentioned the issue of changing nmbclusters on the
fly, and to recompute ip_maxfrags; I'm well aware of it (I used to use
it a lot on pmaxes, when I could).

Roger that on the initialization and sysctl. I dont grok Andrew's new
sysctl machinery well enough to just drop in a sysctl hook, let alone
a sysctl hook that would auto-recompute ip_maxfrags when nmbclusters
is changed via sysctl. (Which has pros and cons of its own:
least-suprise cuts both ways on that one).

So now I confess ip_maxfrags is initialized, partly to match the
style of ip_maxfragpackets, partly so I *could* patch it.

for now I might just put the limit variables back in bss,
and figure out the sysctl knobs a little later.

Since you've spotted all my lurking ideas: the last one was to make
the drop-fraction sysctl'able, say a percentage, then compute the
``median'' (really an order statistic) from the longest ttl downward.

That way someone really paranoid about DoS attacks (micheal graff?) can
easily set up a ``drop 90% of all fragments if we exceed ip_maxfrags''.

What do you think of that?