>From: Clifton Royston <cliftonr@tikitechnologies.com>
>Date: Tue, 9 Nov 2004 09:27:33 -1000

>On Tue, Nov 09, 2004 at 06:17:25PM +0000, Gene ENonymous wrote:
>> I never got a crystal clear answer to my original question about rule set
>> size limits, 

>  FWIW, I think Darren's message implied (though he didn't say) that
>there is no hard-coded limit, and that the number of loadable rules
>depends only on your available RAM.

I finally know the answer for NetBSD with the kernel integrated ipf...

The ipf/ipnat rules tables are malloc'd out of the kernal VM space.
When that space gets exhausted, you get various messages that
no more space for rules can be allocated (then you just start getting
rule not exist messages too).

The fix is to increase the kernel VM space allocation

  vm.nkmempages

On my system the default was 4096 (I'm pretty sure this is in
512 byte blocks - which would imply 2M of VM pool)

I reached a point where I wanted to load over 40,000 rules, and I
ran out of VM (after about 30,000 rules).

I customized my kernel (which reduced it in size from about 3M to ~1M)
then I increased the vm.nkmempages to 8192 (4M I'm pretty sure)
and I was able to load my giant rule-set with no issues.

This was my first time to compile a kernel and all I can say is
that it was super easy! First I compiled a GENERIC which was just
to make sure the process worked as advertised (yeah it did). Then
I took 3 attempts to get a fully functional small (MYSMALL) kernel.
Then one more compile to increase the memmory. This was about a
3 hour exercise.

References:
----------
Kernel Compile How-TO: http://www.netbsd.org/guide/en/chap-kernel.html
  Man Pages
  ---------
  options(4) - VM Related Options - options NKMEMPAGES=value
  sysctl(8) - to verify the VM pool increased in size