pf: limit how many headers we look at

Limit the nested header chain for IPv6 extensions headers and for
authentication headers in the IPv4 case. This prevents spending
excessive cpu time on crafted packets.
OK henning@

Obtained from: OpenBSD, bluhm <bluhm@openbsd.org>, 2e5bc81177
Sponsored by: Rubicon Communications, LLC ("Netgate")
Differential Revision: https://reviews.freebsd.org/D50659