From nobody Wed Nov 5 15:08:33 2025 X-Original-To: freebsd-virtualization@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4d1pcX14VQz6GS57 for ; Wed, 05 Nov 2025 15:08:44 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4d1pcW26gmz4Mjv for ; Wed, 05 Nov 2025 15:08:43 +0000 (UTC) (envelope-from markjdb@gmail.com) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20230601 header.b=GRDijF2R; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=freebsd.org (policy=none); spf=pass (mx1.freebsd.org: domain of markjdb@gmail.com designates 2607:f8b0:4864:20::72e as permitted sender) smtp.mailfrom=markjdb@gmail.com Received: by mail-qk1-x72e.google.com with SMTP id af79cd13be357-8b22efd44d8so37795185a.3 for ; Wed, 05 Nov 2025 07:08:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1762355317; x=1762960117; darn=freebsd.org; h=content-disposition:mime-version:message-id:subject:to:from:date :sender:from:to:cc:subject:date:message-id:reply-to; bh=VYaB4xD/oQCsWp9ZkeKj2Pez3NZTKX7+nnvohmX9FRA=; b=GRDijF2RzijU9h/NrNaI9k1pzR0Z64TjGIo7csqfWYY9DOFN1IyaVE5YNE06YAeInK 0D0mPC1PdIIUPv1Kz8NbhSHDyDJUxQjrPAuUOrukAtuKDiMjaVViShYZSedqulMl2CEK vNKSLymDs1Z7qtWLgz31hO/J2DmeG2/dYi+PWFQKKpTDGp0hMLP+gb2nNRzJJ7AUtUmm Bu1dFQTNQj3ByK/c9zu/zsQ49iD6k0EbvWidKmhzKwT4QRTFzvhuZ7lYaK0MRHj/0kEg uQL+lSTfkqL41n8gbdLVXJe4L37eWcNb6opg17gG2E7ZJly97RdG3kQ6yrUuvKhjvL8/ /5dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1762355317; x=1762960117; h=content-disposition:mime-version:message-id:subject:to:from:date :sender:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VYaB4xD/oQCsWp9ZkeKj2Pez3NZTKX7+nnvohmX9FRA=; b=Yjam/sGAE2uPmipZpL4PFAOfjpt8WW4/mbs8gS/lvlTpiDOwNZJDsrngOTp+2n0wVS eOzkqEWkxte+tivTrSL6hg5qfQN03jyfK+ZgJPl5+SB4Hd0l7plK8gWBm477AcsnWng2 WC5FVvIr6NC01ZTxtq/1kOUOHAxadVgba6h/iSPxxEaYlBkBSmIQEdASI0DgrGjOR9sJ NCpFGH3xzw5hlk0ny0jcR6auF35GQRwjXIwAnjQpALHRBKQCzjU+eMaG8rrDGEX6iKF0 vj8omsGYIN9LGWjiMM8/z+aR/c+k6Wgr7OrFBsQi1IctaijXxt5FFCMbkgeeFQ+uHjIR JBiA== X-Gm-Message-State: AOJu0Yyn+HjaiOARTFA4mfR72H9EdimN7WHosJ8Z/fm+v1hXEHIaPVS4 1EkdH0GTys0Gl66ADgKXtNmEL5hxqoYG7/6SHLqPEdTMRxjikqDb3ah7SXhg02/Qd8M= X-Gm-Gg: ASbGncvQ1FJrls0tUOzEHznE58C7vvjRYH7PmcEhkPGA+h5yw82ECj37DwwmV00k1Mm +eie/L0qqWxYh9Qvi06Te53ZqzV4USadJZUpM0oFUv3d3xg1A2jLlBsrLvS3UAnaQGbLOuw77/O w59oCyt4u47Z+VDV2/2dbd3j0WxGQUaRAGmynmHAN3u18n0NZU9uQScsqRBadj2/TjSl+ZPMe/N UmevK0uRxXvsiKGEd7s+UVidL/wWRPARzHTNegg6ayIXVBgvymcnkO8VTa4fJFVSWJcykRRWK58 GKk1YZVbwsTliHPhU5Bo1qecQk+cL5yLqAa+law1Gb6nAGcUsu9+XKpmUGhZ7cJ5fHadpaC6uRZ zkY9HXtj45cf9BpNNmRP5gmdJfWv/B12eHmdmkMPKmPVvXt/OipqjbtWjEwxWgbnPDNH4e1AJBa 1snOvZ8b4= X-Google-Smtp-Source: AGHT+IG8dKUHiTpUG2g5HW2O84wICbxkEAvu0hkPrQLqafEnEZruaCQjY3hwxNYMf9U3tlTIFF75AA== X-Received: by 2002:a05:620a:4688:b0:8a1:c120:4620 with SMTP id af79cd13be357-8b220abebf3mr467898485a.45.1762355316775; Wed, 05 Nov 2025 07:08:36 -0800 (PST) Received: from nuc (192-0-220-237.cpe.teksavvy.com. [192.0.220.237]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8b0f7d9ed57sm425912585a.42.2025.11.05.07.08.35 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Nov 2025 07:08:36 -0800 (PST) Date: Wed, 5 Nov 2025 10:08:33 -0500 From: Mark Johnston To: freebsd-virtualization@freebsd.org Subject: bhyve slirp network backend improvements Message-ID: List-Id: Discussion List-Archive: https://lists.freebsd.org/archives/freebsd-virtualization List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-virtualization@freebsd.org Sender: owner-freebsd-virtualization@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Spamd-Bar: -- X-Spamd-Result: default: False [-2.59 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-0.998]; NEURAL_HAM_SHORT(-1.00)[-0.997]; NEURAL_HAM_LONG(-0.99)[-0.994]; MID_RHS_NOT_FQDN(0.50)[]; FORGED_SENDER(0.30)[markj@freebsd.org,markjdb@gmail.com]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20230601]; MIME_GOOD(-0.10)[text/plain]; DMARC_POLICY_SOFTFAIL(0.10)[freebsd.org : SPF not aligned (relaxed), DKIM not aligned (relaxed),none]; RCVD_TLS_LAST(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::72e:from]; RCVD_COUNT_TWO(0.00)[2]; FROM_NEQ_ENVFROM(0.00)[markj@freebsd.org,markjdb@gmail.com]; FROM_HAS_DN(0.00)[]; MISSING_XM_UA(0.00)[]; TO_DN_NONE(0.00)[]; MLMMJ_DEST(0.00)[freebsd-virtualization@freebsd.org]; PREVIOUSLY_DELIVERED(0.00)[freebsd-virtualization@freebsd.org]; RCVD_VIA_SMTP_AUTH(0.00)[]; TO_DOM_EQ_FROM_DOM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-Rspamd-Queue-Id: 4d1pcW26gmz4Mjv A while back I added a libslirp-based network backend to bhyve. It enables usermode networking, very similar to qemu's user networking, but with the limitation that only inbound connections to the VM are permitted. This limitation is imposed by the capsicum sandbox in which the VM runs. For my immediate purposes that was fine, but of course it's fairly limiting in general. I posted a patch which moves the backend into a separate process so that the guest can make outbound connections: https://reviews.freebsd.org/D53454 This is enabled by adding the "open" keyword to the slirp backend configuration. That is, "-s 4:0,virtio-net,slirp,open" will allow unrestricted connections from the guest. One can also add hostfwd rules as before. There's still a fair bit of libslirp configuration that isn't accessible, but this change will hopefully make the slirp backend more useful to many people. Comments on the patch or requests for additional features in this area would be welcome.