NPF config data limit

[Emmanuel Nyarko <emmankoko519%gmail.com@localhost>]

Hi tech-net,

NPF currently sets a static 4 * 1024 * 1024 limit in the kernel to the bytes of config data you can load for processing.

this patch updates it to make it dynamic via sysctl. some users may have larger computing resources 
That can safely accomodate larger config size hence they need for a dynamic control.

but it is set to 4 * 1024 * 1024 by default. but can set it to a minimum of a page size or max is the size of your physical memory.
tested and the config size updates cleanly. 







? htdocs/Gallery/.new.HrilbL
? src/diffs
? src/sys/external/bsd/common/include/.DS_Store
Index: src/sys/net/npf/npf_os.c
===================================================================
RCS file: /cvsroot/src/sys/net/npf/npf_os.c,v
retrieving revision 1.23
diff -u -r1.23 npf_os.c
--- src/sys/net/npf/npf_os.c	1 Jul 2025 18:42:37 -0000	1.23
+++ src/sys/net/npf/npf_os.c	22 Jun 2026 08:49:44 -0000
@@ -53,6 +53,9 @@
 #include <sys/pserialize.h>
 #include <sys/socketvar.h>
 #include <sys/uio.h>
+#include <sys/sysctl.h>
+#include <sys/syslog.h>
+#include <sys/systm.h>
 
 #include <netinet/in.h>
 #include <netinet6/in6_var.h>
@@ -86,8 +89,13 @@
 
 #define	NPF_IOCTL_DATA_LIMIT	(4 * 1024 * 1024)
 
+uint64_t npf_ioc_data_limit = NPF_IOCTL_DATA_LIMIT;
+
+extern psize_t physmem;
+
 static int	npf_pfil_register(bool);
 static void	npf_pfil_unregister(bool);
+static void sysctl_net_npf_limit_setup(struct sysctllog **);
 
 static int	npf_dev_open(dev_t, int, int, lwp_t *);
 static int	npf_dev_close(dev_t, int, int, lwp_t *);
@@ -382,6 +390,61 @@
 	ifp->if_npf_private = arg;
 }
 
+static int
+sysctl_npf_get_limit(SYSCTLFN_ARGS)
+{
+	struct sysctlnode node;
+	uint64_t new_size;
+	int error;
+
+	node = *rnode;
+	node.sysctl_data = &new_size;
+	new_size = npf_ioc_data_limit;
+
+	error = sysctl_lookup(SYSCTLFN_CALL(&node));
+	if (error || newp == NULL)
+		return error;
+
+	if (new_size < PAGE_SIZE || new_size > physmem)
+		return EINVAL;
+
+	npf_ioc_data_limit = new_size;
+
+	return 0;
+}
+
+SYSCTL_SETUP(sysctl_net_npf_limit_setup, "npf sysctl")
+{
+	int error;
+	const struct sysctlnode *node;
+
+	error = sysctl_createv(clog, 0, NULL, &node,
+		       CTLFLAG_PERMANENT,
+		       CTLTYPE_NODE, "npf",
+		       SYSCTL_DESCR("NPF related settings"),
+		       NULL, 0, NULL, 0,
+		       CTL_NET, CTL_CREATE, CTL_EOL);
+
+	if (error != 0)
+		goto bad;
+
+	error = sysctl_createv(clog, 0, NULL, NULL,
+		       CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+		       CTLTYPE_QUAD, "datalimit",
+		       SYSCTL_DESCR("NPF config data limit settings"),
+		       sysctl_npf_get_limit, 0, &npf_ioc_data_limit, 0,
+			   CTL_NET, node->sysctl_num, CTL_CREATE, CTL_EOL);
+	if (error != 0)
+		goto bad;
+
+	return;
+
+bad:
+	log(LOG_ERR, "%s: could not create a sysctl node for net.npf.datalimit\n",
+	    __func__);
+	return;
+}
+
 #ifdef _KERNEL
 
 /*


Emmanuel