Same problem here. I have reproduced the bug in 3 different PCs (all running 8.04.1 server, one i686, two AMD64). Here is the summary of one of them:

arch: x86_64
kernel: 2.6.24-19-server
OS: Ubuntu Server 8.04.1 (AMD64)
software RAID1, reiserfs at the root, xfs at an archive partition

after a clean install:
  apt-get update
  apt-get upgrade
  apt-get install acpid smartmontools bridge-utils ebtables screen

/etc/network/interfaces:
-----
#
auto lo
iface lo inet loopback
#
auto eth2
iface eth2 inet static
        address 192.168.1.200
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.1.255
        gateway 192.168.1.1
        # dns-* options are implemented by the resolvconf package, if installed
        dns-nameservers 208.67.222.222 208.67.220.220
        dns-search local.lan
#
auto br0
iface br0 inet manual
        bridge_ports eth0 eth1
        bridge_stp on
        bridge_maxwait 0
#
-----
reboot
-----
ebtables -t broute -F
ebtables -t broute -A BROUTING -p IPv4 --ip-protocol 6 --ip-destination-port 80 -j redirect --redirect-target ACCEPT

as soon as the traffic starts, the kernel crashes, with or without complementing the ebtables rules with iptables:

iptables -t nat -F
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -j REDIRECT --to-port 8888
-----
[ 1752.817491] Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP:
[ 1752.833900]  [<ffffffff883c33d8>] :ebtables:ebt_do_table+0x4e8/0x5e0
[ 1752.860264] PGD 1d1e4067 PUD 1d1e5067 PMD 0
[ 1752.873185] Oops: 0002 [1] SMP
[ 1752.882684] CPU 0
[ 1752.888754] Modules linked in: ebt_redirect ebt_ip video output battery container sbs sbshc dock ac iptable_filter ip_tables x_tables xfs ebtable_broute bridge ebtable_nat ebtable_filter ebtables sbp2 lp loop evdev parport_pc parport psmouse serio_raw pcspkr ipv6 k8temp snd_hda_intel button snd_pcm snd_timer snd_page_alloc snd_hwdep snd soundcore i2c_nforce2 i2c_core reiserfs sg sr_mod cdrom sd_mod ata_generic pata_amd ohci1394 forcedeth sata_nv pata_acpi ieee1394 sundance mii ehci_hcd ohci_hcd libata scsi_mod usbcore raid10 raid456 async_xor async_memcpy async_tx xor raid1 raid0 multipath linear md_mod thermal processor fan fbcon tileblit font bitblit softcursor fuse
[ 1753.069697] Pid: 0, comm: swapper Not tainted 2.6.24-19-server #1
[ 1753.087919] RIP: 0010:[<ffffffff883c33d8>]  [<ffffffff883c33d8>] :ebtables:ebt_do_table+0x4e8/0x5e0
[ 1753.115013] RSP: 0018:ffffffff80687d80  EFLAGS: 00010246
[ 1753.130896] RAX: 0000000000000001 RBX: ffffc200003250a0 RCX: 0000000000000000
[ 1753.152233] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff81001d07ae00
[ 1753.173563] RBP: ffffc20000325030 R08: ffffc20000325110 R09: 0000000000000008
[ 1753.194907] R10: 00000000000000b8 R11: ffffffff802204e0 R12: ffffc20000325000
[ 1753.216240] R13: ffff81001e52d000 R14: 0000000000000000 R15: 0000000000000001
[ 1753.237574] FS:  00007f7641f3f700(0000) GS:ffffffff805c4000(0000) knlGS:0000000000000000
[ 1753.261769] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
[ 1753.278966] CR2: 0000000000000000 CR3: 000000001d898000 CR4: 00000000000006e0
[ 1753.300299] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1753.321633] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1753.342967] Process swapper (pid: 0, threadinfo ffffffff80626000, task ffffffff8058a620)
[ 1753.367162] Stack:  ffff81001c920500 0000000000000070 0000000000000000 ffff81001d07ae00
[ 1753.391361]  0000000500000000 ffffffff883e569c ffffc20000323080 ffffc20000323080
[ 1753.413680]  0000000001009900 0000000000000000 ffffc20000325000 ffff81001d07ae00
[ 1753.435431] Call Trace:
[ 1753.443320]  <IRQ>  [<ffffffff883e502e>] :ebtable_broute:ebt_broute+0x1e/0x30
[ 1753.464716]  [<ffffffff883d3e0c>] :bridge:br_handle_frame+0xcc/0x200
[ 1753.483714]  [<ffffffff803ef02a>] netif_receive_skb+0x1aa/0x490
[ 1753.501410]  [<ffffffff803f1ee5>] process_backlog+0x75/0xe0
[ 1753.518070]  [<ffffffff803f1868>] net_rx_action+0x128/0x230
[ 1753.534734]  [<ffffffff80243e25>] __do_softirq+0x75/0xe0
[ 1753.550615]  [<ffffffff8020d50c>] call_softirq+0x1c/0x30
[ 1753.566495]  [<ffffffff8020ed25>] do_softirq+0x35/0x90
[ 1753.581860]  [<ffffffff80243da8>] irq_exit+0x88/0x90
[ 1753.596704]  [<ffffffff8020ef70>] do_IRQ+0x80/0x100
[ 1753.611288]  [<ffffffff8020b390>] default_idle+0x0/0x40
[ 1753.626912]  [<ffffffff8020b390>] default_idle+0x0/0x40
[ 1753.642537]  [<ffffffff8020c891>] ret_from_intr+0x0/0xa
[ 1753.658157]  <EOI>  [<ffffffff802204e0>] lapic_next_event+0x0/0x10
[ 1753.676692]  [<ffffffff8020b3b9>] default_idle+0x29/0x40
[ 1753.692573]  [<ffffffff8020b43f>] cpu_idle+0x6f/0xc0
[ 1753.707420]  [<ffffffff80630bd5>] start_kernel+0x2c5/0x350
[ 1753.723822]  [<ffffffff8063012e>] _sinittext+0x12e/0x140
[ 1753.739703]
[ 1753.744161]
[ 1753.744161] Code: 4c 89 22 89 42 10 8b 45 6c 48 8d 44 05 00 48 89 42 08 48 8b
[ 1753.771305] RIP  [<ffffffff883c33d8>] :ebtables:ebt_do_table+0x4e8/0x5e0
[ 1753.791397]  RSP <ffffffff80687d80>
[ 1753.801829] CR2: 0000000000000000
[ 1753.812382] ---[ end trace cf18989df8dee195 ]---
[ 1753.826239] Kernel panic - not syncing: Aiee, killing interrupt handler!