Draft: add new b2c.netns parameter

This adds support for a new parameter, b2c.netns, that currently either

1. leaves the networking alone if none or option is omitted (which is b2c behavior before this patch), or
2. creates a new namespace and starts each container within it if dup is specified.

In the case of dup, veth pairs are created and bridged to the host's ethernet adapters, and the other end of the pair is added to the network namespace that the container runs within.

This is set up and torn down before and after each container invocation, so each container will get a "fresh" configuration of this, i.e. in case something goes sideways in a previous container.