The industrial network server applications the authors encounter in their practice differ from the usual small separate process ones. In most cases, separation of traffic coming from/to the single-process highly optimized application becomes a strong requirement. The network needs be seen differently depending of which virtual entity inside the application accesses it. Traffic reflection (auto routing for the inbound connections) is also highly desired. Usually, confining the application to a container is not possible but some level of cooperation could be ensured instead.
A few prototypes were built, using Linux policy-based routing and Linux kernel namespaces, combined with use of socket options and netfilter. Tests show good performance of these solutions, however, open questions still remain. This paper/talk explains the use case, goes over the techniques applied and highlights the networking subsystem limitations encountered.