An option to load a BPF program that e.g. filters all ingress/egress of the container processes would be a very useful feature. This might work similar to systemds IPAddressAllow/IPAddressDeny/IPIngressFilterPath/…
My specific usecase would be improved network performance since this would allow you to put the container into the hosts networking namespace and bind to a specific server port there. This would remove the overhead of NAT, forwarding, conntracking, etc. and make communication with a server process inside of the container as efficient as without containers without a compromise in security.
PS: I attached the LXD label since that’s what I’m interested in but this might actually better be implemented in LXC.