doc: Add section on macvlan vs bridge

Closes #3273

Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>

doc/containers.md

@@ -176,6 +176,23 @@ ipv4.address            | string    | -                 | no        | bridged
 ipv6.address            | string    | -                 | no        | bridged                       | network       | An IPv6 address to assign to the container through DHCP
 security.mac\_filtering | boolean   | false             | no        | bridged                       | network       | Prevent the container from spoofing another's MAC address
 
+#### bridged or macvlan for connection to physical network
+The "bridged" and "macvlan" interface types can both be used to connect
+to an existing physical network.
+
+macvlan effectively lets you fork your physical NIC, getting a second
+interface that's then used by the container. This saves you from
+creating a bridge device and veth pairs and usually offers better
+performance than a bridge.
+
+The downside to this is that macvlan devices while able to communicate
+between themselves and to the outside, aren't able to talk to their
+parent device. This means that you can't use macvlan if you ever need
+your containers to talk to the host itself.
+
+In such case, a bridge is preferable. A bridge will also let you use mac
+filtering and I/O limits which cannot be applied to a macvlan device.
+
 ### Type: disk
 Disk entries are essentially mountpoints inside the container. They can
 either be a bind-mount of an existing file or directory on the host, or