Apply by doing:
	cd /usr/src
	patch -p0 < 004_pf.patch

And then build, install and boot a new kernel:
	cd /usr/src/sys/arch/`arch -s`/conf
	config GENERIC
	cd ../compile/GENERIC
	make depend && make && sudo make install

If you are using the multiprocessor kernel, replace GENERIC by
GENERIC.MP above.

Index: sys/net/pf.c
===================================================================
RCS file: /cvs/src/sys/net/pf.c,v
retrieving revision 1.552
retrieving revision 1.552.2.1
diff -u -p -r1.552 -r1.552.2.1
--- sys/net/pf.c	21 Aug 2007 15:57:27 -0000	1.552
+++ sys/net/pf.c	27 Nov 2007 16:37:57 -0000	1.552.2.1
@@ -819,6 +819,8 @@ pf_insert_state(struct pfi_kif *kif, str
 		TAILQ_FOREACH(sp, &cur->states, next)
 			if (sp->kif == kif) {	/* collision! */
 				pf_stateins_err("tree_lan_ext", s, kif);
+				pf_detach_state(s,
+				    PF_DT_SKIP_LANEXT|PF_DT_SKIP_EXTGWY);
 				return (-1);
 			}
 		pf_detach_state(s, PF_DT_SKIP_LANEXT|PF_DT_SKIP_EXTGWY);
@@ -961,10 +963,8 @@ pf_src_tree_remove_state(struct pf_state
 	u_int32_t timeout;
 
 	if (s->src_node != NULL) {
-		if (s->state_key->proto == IPPROTO_TCP) {
-			if (s->src.tcp_est)
-				--s->src_node->conn;
-		}
+		if (s->src.tcp_est)
+			--s->src_node->conn;
 		if (--s->src_node->states <= 0) {
 			timeout = s->rule.ptr->timeout[PFTM_SRC_NODE];
 			if (!timeout)