So turns out I do need VLANFiltering=true, to get this to work.
I was able to fix it by modifying my network intefaces as suggested here https://github.com/systemd/systemd/issues/8087#issuecomment-378714138
30-bridge0.netdev:
[NetDev]
Name=bridge0
Kind=bridge
[Bridge]
DefaultPVID=1
VLANFiltering=true
STP=false
30-bridge0.network:
[Match]
Name=bridge0
[Network]
VLAN=direct
[BridgeVLAN]
VLAN=2-4094
Now I don’t actually have a VLAN7 interface on my host, but the container can connect using this bridge config:
config: {}
description: ""
devices:
eth0:
nictype: bridged
parent: bridge0
type: nic
vlan: "7"
name: vlan7
used_by: []
It gets the correct IPv4, and IPv6 addresses which my host can ping the container from the host.
I also had to add this to my bond0 interface.
[BridgeVLAN]
VLAN=2-4094
Ie:
20-bond0.network:
[Match]
Name=bond0
[Network]
BindCarrier=eno1 eno2
Description=Unconfigured bond interface
Bridge=bridge0
[BridgeVLAN]
VLAN=2-4094
20-bond0.netdev:
[NetDev]
Name=bond0
Kind=bond
[Bond]
Mode=802.3ad
MIIMonitorSec=1s
LACPTransmitRate=fast
UpDelaySec=2s
DownDelay=8s
TransmitHashPolicy=layer2+3
Finally the one that binds them:
10-all-nic-to-bond0.network:
[Match]
Name=eno1 eno2
Type=ether
[Network]
Bond=bond0