PF Packets from gre interface bypassing PF?

I've got a router set up with a few GRE tunnels, gre0 and gre1 along with local WAN / trusted LAN / untrusted LAN interfaces. I use packet tagging as described in the PF handbook to classify ingress traffic and then filter on egress. However it seems that I can't tag the packets ingress from gre0 or gre1.

I've tried a few things, including just putting a block in log quick on gre0 at the top of my rule set, but that rule doesn't get matched at all, according to pfctl -s rules -v.

Are the gre interfaces special in some way? Can I get pf to see and act on those packets?

This is on FreeBSD 10.2-RELEASE-p12, custom kernel to enable ALTQ and IPSEC.

Do you filter IPsec traffic at all? Packets passing through local IPsec processing can be filtered on the enc0 pseudo-interface. Use interface bound stated when filtering on enc0.