Traffic handling for containers in a virtualized computing environment

We claim: 1. A method for a computing device to perform traffic handling for a container in a virtualized computing environment, the method comprising: receiving a traffic flow of packets from a virtual machine; identifying a container from which the traffic flow originates based on content of the received traffic flow of packets, wherein the container is supported by the virtual machine; retrieving a policy configured for the identified container; and handling the received traffic flow of packets according to the policy. 2. The method of claim 1 , wherein identifying the container comprises: parsing header data of each packet of the traffic flow to identify the container based on tag data in the header data. 3. The method of claim 2 , wherein the method further comprises: prior to receiving the traffic flow of packets, the container or a guest agent installed on a guest operating system of the virtual machine adding the tag data to each packet. 4. The method of claim 1 , wherein handling the received traffic flow of packets comprises: according to the policy configured for the container, performing one or more of the following actions specified by the policy: allowing or denying the received traffic flow of packets, modifying the received traffic flow of packets, determining a forwarding decision for the received traffic flow of packets, analyzing the content of the received traffic flow of packets, and generating and sending a report based on the received traffic flow of packets. 5. The method of claim 1 , wherein handling the received traffic flow of packets comprises one or more of the following: according to a firewall policy configured for the container, allowing or denying the received traffic flow of packets based on one or more of the following tuples identified from header data of each packet: source port number, destination address, destination port number and protocol; according to an anti-malware policy configured for the container, allowing or denying the received traffic flow of packets based on one or more malware signatures; according to a network attack detection policy configured for the container, allowing or denying the received traffic flow of packets based on whether a network attack is identified; according to an access control policy configured for the container, allowing or denying the received traffic flow of packets based on an access control list specifying a list of one or more permissions assigned to the container; according to a packet filtering policy configured for the container, filtering the received traffic flow of packets based on one or more filtering criteria; and according to a deep packet inspection policy configured for the container, inspecting the content of the received traffic flow of packets. 6. The method of claim 1 , wherein handling the received traffic flow of packets comprises one or more of the following: according to an encryption policy configured for the container, encrypting the received traffic flow of packets using an encryption key associated with the container; according to a decryption policy configured for the container, decrypting the received traffic flow of packets using a decryption key associated with the container; according to a packet duplication policy, generating at least one duplicate packet based on the received traffic flow of packets; according to a packet de-duplication policy configured for the container, removing at least one packet from the received traffic flow of packets; according to a packet tagging policy configured for the container, modifying header data or payload data, or both, of at least one packet in the received traffic flow to add metadata associated with the container; according to a load balancing policy configured for the container, selecting one of multiple physical network interface controllers (NICs) of the computing device for forwarding the received traffic flow of packets; and according to a jumbo frame policy configured for the container, determining that jumbo frame forwarding is enabled for the container and selecting a path for forwarding the received traffic flow of packets. 7. The method of claim 1 , wherein the method further comprises: receiving an incoming traffic flow of packets; identifying the container for which the incoming traffic flow of packets is destined based on content of the incoming traffic flow of packets; retrieving a further policy configured for the identified container; and handling the incoming traffic flow of packets according to the further policy. 8. A non-transitory computer-readable storage medium that includes a set of instructions which, in response to execution by a processor of a host, cause the processor to perform a method of traffic handling for a container in a virtualized computing environment, wherein the method comprises: receiving a traffic flow of packets from a virtual machine; identifying a container from which the traffic flow originates based on content of the received traffic flow of packets, wherein the container is supported by the virtual machine; retrieving a policy configured for the identified container; and handling the received traffic flow of packets according to the policy. 9. The non-transitory computer-readable storage medium of claim 8 , wherein identifying the container comprises: parsing header data of each packet of the traffic flow to identify the container based on tag data in the header data. 10. The non-transitory computer-readable storage medium of claim 9 , wherein the method further comprises: prior to receiving the traffic flow of packets, the container or a guest agent installed on a guest operating system of the virtual machine adding the tag data to each packet. 11. The non-transitory computer-readable storage medium of claim 8 , wherein handling the received traffic flow of packets comprises: according to the policy configured for the container, performing one or more of the following actions specified by the policy: allowing or denying the received traffic flow of packets, modifying the received traffic flow of packets, determining a forwarding decision for the received traffic flow of packets, analyzing the content of the received traffic flow of packets, and generating and sending a report based on the received traffic flow of packets. 12. The non-transitory computer-readable storage medium of claim 8 , wherein handling the received traffic flow of packets comprises one or more of the following: according to a firewall policy configured for the container, allowing or denying the received traffic flow of packets based on one or more of the following tuples identified from header data of each packet: source port number, destination address, destination port number and protocol; according to an anti-malware policy configured for the container, allowing or denying the received traffic flow of packets based on one or more malware signatures; according to a network attack detection policy configured for the container, allowing or denying the received traffic flow of packets based on whether a network attack is identified; according to an access control policy configured for the container, allowing or denying the received traffic flow of packets based on an access control list specifying a list of one or more permissions assigned to the container; according to a packet filtering policy configured for the container, filtering the received traffic flow of packets based on one or more filtering criteria; and according to a deep packet inspection policy configured for the container, inspecting the content of the received traffic flow of packets.