I have been using ipf to block some large swaths of unwelcome
address ranges for a while now.

My current (working) rule sets consist of about 85,000 mostly
symmetric input and output rules for ~170,000 rules total.

This appears to occupy about 85MB of kernel memory, which is
where ipf memory resides under NetBSD.

Question 1: The ascii files for these rules only occupy about 12-13MB.
Is the 85MB number reflective of some sort of allocation error?
(I would expect the in memory storage to be smaller since binary
coding can be used?)

Question 2: If I flush the rulesets, I do not seem to get this
kernel memory back. How can I determine if this is a NetBSD kernel
issue or an ipf issue?

NetBSD 2.1_Stable,
# ipf -V
ipf: IP Filter: v4.1.3 (396)
Kernel: IP Filter: v4.1.3

[I'm manually cross posting this querry to the tech-net@netbsd
and ipf mailing lists.
If I make progress, I will send a summary to both]