Optimize restore network setup

[sjmiller609]

Summary

• reduces restore network setup work by listing allocations once and reusing that snapshot for name, IP, and MAC checks.
• removes the extra post-create TAP lookup by reusing the netlink handle returned during TAP creation.
• replaces shelling out to ip link ... bridge_slave isolated on with netlink bridge port isolation.

Tests

• git diff --check
• go test ./lib/network -count=1
• go test -tags containers_image_openpgp ./lib/instances -run TestCreateInstanceClearsRetentionStateBeforeMetadataSave -count=1

---

Note

Medium Risk
Touches live VM network allocation and TAP/bridge isolation paths; behavior should be equivalent but errors or kernel/netlink differences could affect restores and isolated networks.

Overview
CreateAllocation now loads the allocation list once while holding the manager lock and reuses that snapshot for instance-name checks, IP pick, and MAC generation via new helpers (nameExistsInAllocations, allocateNextIPFromAllocations, allocateUniqueMACFromAllocations), cutting repeated ListAllocations work during allocation.

On Linux TAP setup, the code reuses the netlink link object returned from LinkAdd instead of a second LinkByName lookup, and sets bridge port isolation with netlink.LinkSetIsolated instead of shelling out to ip link … bridge_slave isolated on.

^{Reviewed by Cursor Bugbot for commit 4d71b40. Bugbot is set up for automated code reviews on this repo. Configure here.}

[firetiger-agent]

Firetiger deploy monitoring skipped

This PR didn't match the auto-monitor filter configured on your GitHub connection:

PRs in the kernel, infra, hypeman, and hypeship repos. kernel is a ~mono repo with many logical services underneath, ensure to focus on the implicated service for the PR

Reason: PR repository is not specified; cannot confirm it belongs to kernel, infra, hypeman, or hypeship repos.

To monitor this PR anyway, reply with @firetiger monitor this.