So one approach would be to create one bridge per group of containers that you want to do accounting on together, then get the packet/byte counts off of that bridge.
I’d also like to point out that a user could likely workaround your logic by renaming eth0 in the container and putting a dummy eth0 in its place with no traffic on it. That’s unless your specific logic directly tracks down the host side veth rather than use the statistics visible in the API (which query the container’s network namespace).
The numbers can’t persist as the actual interface is deleted on restarts and we can’t reset/set the value anyway.
Other than the bridge approach I mentioned, I actually can’t think of any way to implement this in a way that can’t be bypassed root in the container. Even pulling the host side veth counters on container shutdown can be worked around by root in the container by simply deleting their eth0 device prior to reboot/shutdown which then causes the kernel to delete the host side device along with its counters.
Some kind of cgroup could be implemented in the kernel to do such tracking in a way that’s not directly tied to an interface, but it’s not something that’s been done yet nor has been proposed as far as I can tell.