Not really an answer, but a few pointers too long for comments:
On MacOS X man accept says:
One can obtain user connection request data without confirming the connection by issuing a recvmsg(2) call with an msg_iovlen of 0 and a non-zero msg_controllen, or by issuing a getsockopt(2) request. Similarly, one can provide user connection rejection information by issuing a
sendmsg(2) call with providing only the control information, or by calling setsockopt(2).
(emphasis mine)
Can't find any more details in man recvmsg, man getsockopt or man tcp on that topic though.
On Debian, man accept says:
In order to be notified of incoming connections on a socket, you can use select(2), poll(2), or epoll(7). A readable event will be delivered when a new connection is attempted and you may then call accept() to get a socket for that connection. Alternatively, you can
set the socket to deliver SIGIO when activity occurs on a socket; see socket(7) for details.
IMHO the only one in there which may be able to deliver more info would be epoll.
But even if you can get actually the info, I'm not quite sure how you would reject the connection if you don't like it.
You're probably better off doing the filtering at the network stack/firewall level (iptables and friends).
reject()the connection. Related: stackoverflow.com/questions/16590847/…