I'm finding that on NetBSD-1.3/i386 after about 1000 IPF "count" rules, my
NetBSD router box will grind to a halt if I try to forward any significant
amount of traffic through it.  The box seems fine at low levels of traffic,
but in combination with 4-5Mbps of packet forwarding, things go bad quickly.

Are there any OS compile-time parameter limitations to IPFILTER rules that I
should know about? Lets say I wanted to do byte counts on several thousand
individual hosts, using a NetBSD ipf configured gateway.  From what I can
see, this just won't work because the kernel gacks.  This is on a P166 with
32MB ram, fully dedicated to doing routing and nothing else. Symptoms include
nasty packet loss and unresponsive consoles The machine doesn't actually crash
or anything.

In my kernel config I previously had a MAXUSER setting of 2, which I
subsequently changed to 64. This seemed to help, which is why I suspect there
may be some kernel size limitations at work, but it didn't bring performance
up enough to make the machine useable with the filter rules I was trying to
use.

Am I missing something here?

Erik