I'm a little surprised; I guess I would have assumed that if netbsd got jails they'd be an outgrowth of rump kernels with improved security properties. No big deal, just unexpected.

> Jails share the host network stack by design.

> This keeps routing, firewalling, and interface management simple on the host.

> Listening ports can be reserved per jail.

> Port ownership is enforced by the kernel, preventing accidental conflicts while preserving a straightforward host-centric network model.

It's perfectly reasonable to have a different approach, but on Linux I'll say I really prefer that each container has its own view of ports; it is specifically useful that I can run multiple copies of the same app and they can all bind :8000 or whatever and that just works.