diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c
--- a/sys/netpfil/pf/pf_norm.c
+++ b/sys/netpfil/pf/pf_norm.c
@@ -1198,6 +1198,7 @@
 			return (PF_DROP);
 
 		h = mtod(pd->m, struct ip *);
+		pd->tot_len = htons(h->ip_len);
 
  no_fragment:
 		/* At this point, only IP_DF is allowed in ip_off */
@@ -1228,6 +1229,7 @@
     struct pf_pdesc *pd)
 {
 	struct pf_krule		*r;
+	struct ip6_hdr		*h;
 	struct ip6_frag		 frag;
 	bool			 scrub_compat;
 
@@ -1294,6 +1296,8 @@
 		pd->m = *m0;
 		if (pd->m == NULL)
 			return (PF_DROP);
+		h = mtod(pd->m, struct ip6_hdr *);
+		pd->tot_len = ntohs(h->ip6_plen) + sizeof(struct ip6_hdr);
 	}
 
 	return (PF_PASS);