> For HPC if you are interested in migration you need a separate IP per > container. If you can take you IP address with you migration of > networking state is simple. If you can't take your IP address with > you a network container is nearly pointless from a migration > perspective. Eric, please, I know... I showed you a migration demo at OLS ;) > Beyond that from everything I have seen layer 2 is just much cleaner > than any layer 3 approach short of Serge's bind filtering. > Beyond that I have yet to see a clean semantics for anything > resembling your layer 2 layer 3 hybrid approach. If we can't have > clear semantics it is by definition impossible to implement correctly > because no one understands what it is supposed to do. > Note. A true layer 3 approach has no impact on TCP/UDP filtering > because it filters at bind time not at packet reception time. Once > you start inspecting packets I don't see what the gain is from not > going all of the way to layer 2. The bsdjail was just for information ... - Daniel