The current behaviour allows to change capabilities on a trunk device and
all vlan devices together, since no NIC can do for example checksum
offloading selectively on vlans. However, not only the trunk device can
be the configuration point for ioctl(2) but any vlan. This leads to a
very misleading behavior. Changing caps on a vlan would toggle them on
the trunk and all other vlans. This is how it looks like:

root@behemoth:~:|>ifconfig vlan1
vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

options=303<RXCSUM,TXCSUM,TSO4,TSO6>
ether 00:25:90:03:0e:fa
inet 10.1.1.1 netmask 0xffffffff broadcast 10.1.1.1 
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 1 parent interface: igb0
groups: vlan

root@behemoth:~:|>ifconfig vlan2 -txcsum
root@behemoth:~:|>ifconfig vlan1
vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

ether 00:25:90:03:0e:fa
inet 10.1.1.1 netmask 0xffffffff broadcast 10.1.1.1 
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 1 parent interface: igb0
groups: vlan

Oops, I didn't do anything to vlan1, but it changed. This is not an expected
behavior for a sysadmin. But the next problem is even worse. The propagation
had cleared IFCAP_VLAN_HWTAGGING on the parent, so if I try to undo harm and
turn back the "txcsum", it will not be propagated back to vlans:

root@behemoth:~:|>ifconfig igb0 txcsum
root@behemoth:~:|>ifconfig vlan1
vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500

ether 00:25:90:03:0e:fa
inet 10.1.1.1 netmask 0xffffffff broadcast 10.1.1.1 
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
vlan: 1 parent interface: igb0
groups: vlan

Fail!

The plan is to disable SIOCSIFCAP on vlan(4) and allow it only on the parent.