|
|
|
|
|
|
by the8472
1480 days ago
|
|
|
If your concern is kernel attack surface then I have bad news for you. Inside the container's network namespace it's still using standard syscalls. Only on the host side it takes a detour through userspace. So you get all the downsides, none of the native performance and very few upsides.
It only benefits firewalls that still assume a machine has a single network interface without bridging/natting/forwarding. |
|
|