pf: stricter address family checks in icmp-in-icmp

If ipv4+icmp6 or ipv6+icmp packets were embedded into an icmp
payload, we missed to drop them. While there, also add a reason
to the corresponding check in pf_test().
ok mcbride@ claudio@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 7ce93f3346
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D46929