logoalt Hacker News

celrenheityesterday at 2:50 PM1 replyview on HN

Thanks! There's no packet firewall at all, no iptables/nftables. On macOS the VM's NIC is a Virtualization.framework file-handle device. The daemon runs gvproxy, which terminates the guest's connections and re-dials them as host sockets, so I filter with an allow-list right before the dial. One caveat, since you asked about root specifically: that's the macOS path, and it only works thanks to the fd NIC. Firecracker on Linux only speaks a TAP, which needs root, so there I do shell out to sudo, but just for the device. The filtering is still the same userspace allow-list.


Replies

matheusmoreirayesterday at 4:00 PM

Thanks for the pointers!! I'm using passt, didn't know about gvproxy. This is awesome and could provide rootless filtering and firewall for my guest VMs. I'm going to experiment with this!

show 1 reply