pf dealt poorly with certain types of IPV6 icmp packets.

Apply by doing:
	cd /usr/src
	patch -p0 < 006_pf.patch
And then rebuild your kernel.

Index: sys/net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.163
diff -u -r1.163 pf.c
--- sys/net/pf.c	15 Oct 2001 16:22:21 -0000	1.163
+++ sys/net/pf.c	13 Nov 2001 18:08:05 -0000
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pf.c,v 1.163 2001/10/15 16:22:21 dhartmei Exp $ */
+/*	$OpenBSD: pf.c,v 1.166 2001/11/13 17:45:26 frantzen Exp $ */
 
 /*
  * Copyright (c) 2001 Daniel Hartmeier
@@ -3953,12 +3953,8 @@
 			pd2.src = (struct pf_addr *)&h2_6.ip6_src;
 			pd2.dst = (struct pf_addr *)&h2_6.ip6_dst;
 			pd2.ip_sum = NULL;
+			off2 = ipoff2 + sizeof(h2_6);
 			do {			
-				while (off >= m->m_len) {
-					off -= m->m_len;
-					m = m->m_next;
-				}
-
 				switch (pd2.proto) {
 				case IPPROTO_FRAGMENT: 
 					/* XXX we don't handle fagments yet */
@@ -3968,11 +3964,16 @@
 				case IPPROTO_ROUTING:
 				case IPPROTO_DSTOPTS: {
 					/* get next header and header length */
-					struct _opt6 *opt6;
+					struct _opt6 opt6;
 
-					opt6 = (struct _opt6 *)(mtod(m, caddr_t) + off2);
-					pd2.proto = opt6->opt6_nxt;
-					off2 += (opt6->opt6_hlen + 1) * 8;
+					if (!pf_pull_hdr(m, off2, &opt6,
+					    sizeof(opt6), NULL, NULL, pd2.af)) {
+						DPFPRINTF(PF_DEBUG_MISC,
+						    ("pf:  ICMPv6 short opt\n"));
+						return(PF_DROP);
+					}
+					pd2.proto = opt6.opt6_nxt;
+					off2 += (opt6.opt6_hlen + 1) * 8;
 					/* goto the next header */
 					break;
 				}