A coworker has ported the FreeBSD "accept filter" functionality to NetBSD (approximately 4.99.40 -- I think the attached patch should apply cleanly to HEAD today, however). Accept filters are kernel level filters, enabled with setsockopt(), which can perform arbitrary operations on a TCP or local stream connection before accept() returns to userspace or the listen socket selects ready for accept. Think of it as a much more sophisticated version of the socket watermark. These have been in FreeBSD for a long time. In FreeBSD they're often dynamically loaded just before the setsockopt() but doing so at runtime poses some obvious security issues. We didn't adapt the kernel-module code in this patch to the new NetBSD framework but will do so over time if these are committed. Rather, we've made each accept filter (we supply two, "dataready" and "http") a pseudo-device to allow static configuration in the kernel config file; in my opinion this is moderately hokey but it works and is less objectionable than any of my other ideas. Opinions? The manual pages (accept_filter, accf_http, accf_dataready) are not present in the patch but I will adjust them for NetBSD and check them in with the rest of this if there are no objections. -- Thor Lancelot Simon Coyote Point Systems, Inc. <tls%coyotepoint.com@localhost> Millerton, NY, USA