krpc/clnt_nl: filter RPC replies on vnet

RPC calls are filtered by the Netlink system itself, but the RPC replies
are not. With legitimate use the chance of a xid collision is zero, since
global clients use global atomically updated 32-bit counter for that.
However, a malicious jail may blindly inject replies guessing the xid,
where guessing is trivial. Protect against that checking the vnet, too.