The feature looks interesting ! It looks it should be applicable to at least qemu and xen, I'm not so sure about LXC or VirtualBox, and looks unlikely for VMWare unless they have a matching capability (might be possible since it's based at least partly on DMTF).
It would work with any technology that uses an ethernet interface in the host, i.e., a tap or backend interface, through which all the VM's network traffic passes. All firewall rules would be conditioned on the VM's interface name and jump into a VM-specific rules tree.
As for VirtualBox, since it is Qemu based and probably has a tap interface, this should also work. I have never used LXC, so I cannot say much about it, but it would also require a network interface in the host onto which ebtables and iptables could condition their rules on (ebtables -A ... -i <tap interface name> ...).
It should be applicable to lx. LXC networking (http://lxc.sourceforge.net/network/configuration.php) can be setup using virtual interfaces and bridge. I believe for VMware one would need to write a backend that can translate from this xml to the VMware APIs. The xml spec can stay the same since as you note it is derived from DMTF (and what is already supported in physical switches). Vivek __ Vivek Kashyap Linux Technology Center, IBM