pf and synfloods


pf's state table exhaustion countermeasures have largely been good enough

but attacks get worse

we can do better, so we should

embryonic states?
basically the syncache approach

syncookies?
but we need reasonably good ISNs