Add VNI filter to oxide-vpc firewall

[plotnick]

For firewall rules with target or host filter type "VPC", we'd like to filter directly on the VNI associated with that VPC rather than filtering on each subnet in the VPC.

From the discussion on Omicron#1756:

We could add first class support for this type of firewall rule in oxide-vpc itself, but it would require a little work. On decap we would extract the VNI from Geneve and store it as action metadata to pass through the port's processing pipeline. The firewall layer could then add support for filtering on this value. This would be the most efficient in terms of control plane churn and oxide-vpc implementation. I kind of like this idea but not sure there are any edge cases I'm not thinking of.

See also RFD 21 table 14.

[rzezeski]

Addressed in 486ffd8.