The talk outlines various ways of establishing a networking communication between a network namespace (a container) and the outer world, compares their performance and features.

Each namespace implements its own isolated network stack. Network packets comes to a network stack from network device. Five different device types that can be used as a packets sources for containers are demonstrated. Their properties (mostly performance and maintainability) and features are compared.

In addition, one more device type is described — the one that is currently only implemented in the OpenVZ containers. Its pros and cons, and ways it can be implemented in the mainline kernel are discussed.