The goal here is to provide network isolation between containers so that one container cannot saturate the entire network, affecting the performance of other containers.
There are many options here. With the current network monitoring code (
MESOS-1228, already committed), one option is to add a "tc police action" on the 'veth' of each container to drop packets when the traffic exceeds a certain limit.
Other options include advanced shape control using tc classes (e.g., HTB, CBQ, etc.). We're gonna need to extend the current routing library to support that.