Andrea Bolognani wrote: > On Thu, Jun 13, 2024 at 06:24:00PM GMT, Roman Bogorodskiy wrote: > > Laine Stump wrote: > > > On 6/12/24 2:32 PM, Roman Bogorodskiy wrote: > > > > So basically all the mechanics like creating tap devices, bridges, > > > > serving dhcp, etc, all these work for me. On top of that I had a few > > > > iterations of manual firewall configurations (with both ipfw and pf) > > > > to implement NAT on guests. > > > > > > Okay, so essentially it was effectively <forward mode='open'/> (since the > > > only difference is the lack of libvirt-added firewall rules). > > > > Yes, I've changed it to mode='open' and it still works for me, i.e. I > > have host<->guest connectivity. > > > > So it would make more sense to change the default to 'open', at least > > until nat is not supported. I think I'd better do that on the packaging > > level. > > If you're touching the package, can you also look into the other > question that I've raised about it? Namely that, since the QEMU > driver is compiled out by default, the same should probably be the > case for the network driver too. If someone goes and builds the port > locally with QEMU support enabled, then and only then the network > driver should be included. > > Honestly I'm not entirely sure it makes much sense to have the > network driver and especially the default network if you need to > bring your own firewall rules, but that can be a separate discussion. Hm, I think the network driver is quite usable without QEMU, e.g. I use it with bhyve. I also find it quite useful even without firewall rules. Most of the time internal connectivity is enough for my guests. Configuring NAT on per-network basis is also fairly easy. For more advanced scenarios hooks could be used, though I haven't done that specifically. For now I'm inclined only to update 'nat' to 'open' as 'nat' is a misleading configuration and was working only by incidence. Roman > -- > Andrea Bolognani / Red Hat / Virtualization >