Therefore, shouldn't there be (or am I just not seeing it?) sort of
a timeout that disposes of connections that have been sitting in the
accept filter for longer than $timespan? Currently, we have to restart
lighttpd every so many days to cope with the slow but steady "leakage"
of connections...
if getsockopt(2) SO_KEEPALIVE is set for the peer socket then yes.
But there is no peer socket yet. The connection is queued in the
kernel's accept filter, waiting to see a complete HTTP request before
the kernel even lets accept(2) return (or in our case, before kqueue
produces the "here's something to accept"-information.)
Or do you mean to SO_KEEPALIVE the listening socket?