Add flags to rc.d/ipfilter. Use it from rc.conf like

ipfilter=YES ipfilter_flags="-T fr_statemax=18963,fr_statesize=27091"

Ok: Christos Zoulas <christos@netbsd.org>

etc/defaults/rc.conf

@@ -1,4 +1,4 @@
-#	$NetBSD: rc.conf,v 1.100 2009/01/14 22:07:55 haad Exp $
+#	$NetBSD: rc.conf,v 1.101 2009/03/23 18:52:02 hannken Exp $
 #
 # /etc/defaults/rc.conf --
 #	default configuration of /etc/rc.conf
@@ -143,7 +143,7 @@ securelevel=""					# securelevel to set to
 
 # Networking startup.
 #
-ipfilter=NO					# uses /etc/ipf.conf
+ipfilter=NO		ipfilter_flags=""	# uses /etc/ipf.conf
 ipnat=NO					# uses /etc/ipnat.conf
 ipfs=NO			ipfs_flags=""		# save/load ipnat and ipf states
 ipsec=NO					# uses /etc/ipsec.conf

etc/rc.d/ipfilter

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# $NetBSD: ipfilter,v 1.17 2008/11/22 20:23:33 tsutsui Exp $
+# $NetBSD: ipfilter,v 1.18 2009/03/23 18:52:02 hannken Exp $
 #
 
 # PROVIDE: ipfilter
@@ -36,7 +36,7 @@ ipfilter_prestart()
 ipfilter_start()
 {
 	echo "Enabling ipfilter."
-	/sbin/ipf -E
+	/sbin/ipf ${rc_flags} -E
 
 		# Do the flush first; since older ipf has different semantics.
 		#