DIsable the "cloner" event handler; we are getting interface
events before the firewall is fully initiallized and also no vnet
information thus leading to uninitialised memory accesses.
In addition it is unclear why we need it in first place.
If it turns out to be needed, well need a dedicated event handler
for it.

We make sure ipf_running is initialized statically to something
that indicates really not running; though the problem trying to
address with that was solved differently.

Very specially handle the dynamic sysctls added. The problem is
that "ipmain" is the virtualized struct, but the fields used for
the sysctls are hanging off memory allocated and attached to the
virtualized "ipmain" thus standard VNET macros and sysctl handling
does not work. We still say it is VNET sysctls to get the proper
protection checks in the VIMAGE case; to solve the problem of
accessing the right bit of memory haning of each per-VNET ipmain,
we use a dedicated handler function wrapping around sysctl_ipf_int()
undoing the base calculation from kern_sysctl.c and then adding the
passed-in offset into the right struct depending on handler.
A bit of a mess exposing VNET-internals this way but the only way
to keep the code without having to massively restructure ipf internals.

Sponsored by: The FreeBSD Foundation