Evaluate packet size after the firewall had its chance

Defer the packet size check until after the firewall has had a look at it. This
means that the firewall now has the opportunity to (re-)fragment an oversized
packet.

Differential Revision: https://reviews.freebsd.org/D1815
Reviewed by: ae
Approved by: gnn (mentor)