Reset firewall mark after IPsec decryption

This change ensures that the firewall marks post-decryption are reset,
due to routing rules not handling decapsulated packets properly.

At present, forwarding rules (and a few others) expect the inbound
network to be clear, and not have a network explicitly selected.
However, because IPsec traffic routes through the filter_INPUT chain
before being decrypted, the input interface is stamped onto it for
packet mirroring purposes (ICMP/TCP acks, etc), and no longer matches
the relevant rules for forwarding decapsulated IPsec packets.

Bug: 185495453
Test: atest FrameworksVcnTests
Test: atest CtsNetTestCases:IpSecManagerTunnelTest
Test: atest CtsNetTestCases:IpSecManagerTest
Test: atest Ikev2VpnTest
Test: atest CtsIkeTestCases
Change-Id: Ib47d53c3e53295667a8d4645b8937eb834278026