ipsec: filtertunnel kind of helps, but is the wrong approach

src/etc/inc/system.inc

@@ -130,12 +130,10 @@ function activate_sysctls()
     global $config;
 
     $sysctls = array(
-        'net.inet.ipsec.filtertunnel' => '1',
-        'net.inet6.ipsec6.filtertunnel' => '1',
-        'net.enc.in.ipsec_bpf_mask' => '0x0002',
-        'net.enc.in.ipsec_filter_mask' => '0x0002',
-        'net.enc.out.ipsec_bpf_mask' => '0x0001',
-        'net.enc.out.ipsec_filter_mask' => '0x0001',
+        'net.enc.in.ipsec_bpf_mask' => '2', /* after processing */
+        'net.enc.in.ipsec_filter_mask' => '2', /* after processing */
+        'net.enc.out.ipsec_bpf_mask' => '1', /* before processing */
+        'net.enc.out.ipsec_filter_mask' => '1', /* before processing */
     );
 
     if (isset($config['sysctl']['item'])) {