Hmm. Clearly kern.maxfilesperuser isn't going to help for the sparse file descriptor table attack. The defaults on an i386 box seem to be on the order of 6000 processes x 25000 descriptors per process, which winds up being significant greater than a gigabyte of ram (let alone kvm)... so it goes boom. I think we do have to apply the maxfilesperuser limit to this situation counted based on the size of the fd table instead of based on the number of actual descriptors. That would handle the situation. -Matt Matthew Dillon <dillon@backplane.com>