kern/50511: npf fails to load tree file above certain size

[cfuhrman%pobox.com@localhost]

>Number:         50511
>Category:       kern
>Synopsis:       npf fails to load tree file above ~473 entries
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 10 19:45:00 +0000 2015
>Originator:     Christopher M. Fuhrman
>Release:        NetBSD 7.0
>Environment:
System: NetBSD vc75.vc.panix.com 7.0 NetBSD 7.0 (PANIX-VC) #1: Tue Nov 10 17:40:17 EST 2015 root%juggler.panix.com@localhost:/misc/obj64/misc/devel/netbsd/7.0/src/sys/arch/amd64/compile/PANIX-VC amd64
Architecture: x86_64
Machine: amd64
>Description:

Recently, I switched from using OpenBSD pf to NetBSD's spiffy new npf
packet filter on my NetBSD vHost.  As part of my configuration, I am
loading a file containing IPv4 address ranges as follows:

  table <countries> type tree file "/var/db/npf_tables/countries.txt"

What I've determined is that if the file is above a certain length
(around 473 entries), then npf will fail with the following error:

  # npfctl reload
  npfctl: npfctl_config_send: Invalid argument

Smaller files load okay.

This behavior has been confirmed with both a Xen-based NetBSD domU and
a VMware Fusion instance running on my Mac (running GENERIC).

**IMPORTANT**

This bug is applicable to the /size of the file/ getting loaded by npf
*not* the size of the table itself.  In other words, if I did a
for-loop and loaded each entry via `npfctl table add ...`, then things
work as expected.

>How-To-Repeat:

Create the following:

 1. A tree-hash table file containing over 475 entries (give-or-take)
 2. An npf.conf(5) file that loads the above file.
 3. Load the file via npfctl(8)

If you need a copy of my npf.conf file, please let me know and I can
send it via email in private.

>Fix:

A temporary workaround is to load each entry in a for-loop although
this is not ideal.