pf: Don't hold PF_RULES_WLOCK during copyin() on DIOCRCLRTSTATS

We cannot hold a non-sleepable lock during copyin(). This means we can't
safely count the table, so instead we fall back to the pf_ioctl_maxcount
used in other ioctls to protect against overly large requests.

Reported by: syzbot+81e380344d4a6c37d78a@syzkaller.appspotmail.com
MFC after: 1 week

(cherry picked from commit ea36212bf5711206bbaf5362a23ebb52c7f7e2a4)