Why can't you use user at host masks in exceptions? This would be helpful for things like limiting the number of connections from a host not running ident.