The evil details...

Ensure that packets are unable to leave a domain
Responses need to remain in the same domain

Userland needs to be able to bind sockets in specific domain

Magic way to pass traffic between domains

Interaction between rdomains and rtables