Return to Question

I noticed the following differences in the networking experience between QEMU/KVM (used through libvirt) and VirtualBox:

• For anything else than usermode or manual networking, QEMU/KVM needs a virbr0 network interface to be created and it adds a bunch of rules to iptables. VirtualBox, on the other hand, can operate both in NAT and bridged modes without touching iptables or creating any network interfaces.

• Probably related to the above, in non-root user sessions, QEMU/KVM only allows usermode networking, while VirtualBox supports most/all of the various networking modes even without root privileges.

I would like to understand the underlying reasons behind these differences and their implications. A few specific questions that come to my mind:

• VirtualBox's networking solution seemingly requires less privileges. Is this the result of a user-space implementation of various networking protocols similar to QEMU/KVM's usermode networking (just with more options) or are there privileged operations executed behind the scenes, allowed by the user's membership in the vboxusers group?

• Is QEMU/KVM's usermode networking inferior in any way to VirtualBox's NAT mode networking? According to the libvirt FAQ, usermode networking "has nonobvious limitations, so its usage is discouraged", but I could not find what those limitations are (other than being restricted to NAT). It seems perfectly fine to me for doing just a simple NAT (and in fact it seems to be the trivial if not only way that avoids the iptables modifications).

• How does the security and performance of the three NAT alternatives (VirtualBox NAT, QEMU/KVM "proper" NAT, QEMU/KVM usermode networking) compare to each other?

I noticed the following differences in the networking experience between QEMU/KVM (used through libvirt) and VirtualBox:

• For anything else than usermode or manual networking, QEMU/KVM needs a virbr0 network interface to be created and it adds a bunch of rules to iptables. VirtualBox, on the other hand, can operate both in NAT and bridged modes without touching iptables or creating any network interfaces.

• Probably related to the above, in non-root user sessions, QEMU/KVM only allows usermode (or manual) networking, while VirtualBox supports most/all of the various networking modes even without root privileges.

I would like to understand the underlying reasons behind these differences and their implications. A few specific questions that come to my mind:

• VirtualBox's networking solution seemingly requires less privileges. Is this the result of a user-space implementation of various networking protocols similar to QEMU/KVM's usermode networking (just with more options) or are there privileged operations executed behind the scenes, allowed by the user's membership in the vboxusers group?

• Is QEMU/KVM's usermode networking inferior in any way to VirtualBox's NAT mode networking? According to the libvirt FAQ, usermode networking "has nonobvious limitations, so its usage is discouraged", but I could not find what those limitations are (other than being restricted to NAT). It seems perfectly fine to me for doing just a simple NAT (and in fact it seems to be the trivial if not only way that avoids the iptables modifications).

• How does the security and performance of the three NAT alternatives (VirtualBox NAT, QEMU/KVM "proper" NAT, QEMU/KVM usermode networking) compare to each other?

I noticed the following differences in the networking experience between QEMU/KVM (used through libvirt) and VirtualBox:

• For anything else than usermode or manual networking, QEMU/KVM needs a virbr0 network interface to be created and it adds a bunch of rules to iptables. VirtualBox, on the other hand, can operate both in NAT and bridged modes without touching iptables or creating any network interfaces.

• Probably related to the above, in non-root user sessions, QEMU/KVM only allows usermode networking, while VirtualBox supports most/all of the various networking modes even without root privileges.

I would like to understand the underlying reasons behind these differences and their implications. A few specific questions that come to my mind:

• VirtualBox's networking solution seemingly requires less privileges. Is this the result of a user-space implementation of various networking protocols similar to QEMU/KVM's usermode networking (just with more options) or are there privileged operations executed behind the scenes, allowed by the user's membership in the vboxusers group?

• Is QEMU/KVM's usermode networking inferior in any way to VirtualBox's NAT networking? According to the libvirt FAQ, usermode networking "has nonobvious limitations, so its usage is discouraged", but I could not find what those nonobvious limitations are. It seems perfectly fine to me for doing just a simple NAT (and in fact it seems to be the trivial if not only way that avoids the iptables modifications).

I noticed the following differences in the networking experience between QEMU/KVM (used through libvirt) and VirtualBox:

• For anything else than usermode or manual networking, QEMU/KVM needs a virbr0 network interface to be created and it adds a bunch of rules to iptables. VirtualBox, on the other hand, can operate both in NAT and bridged modes without touching iptables or creating any network interfaces.

• Probably related to the above, in non-root user sessions, QEMU/KVM only allows usermode networking, while VirtualBox supports most/all of the various networking modes even without root privileges.

I would like to understand the underlying reasons behind these differences and their implications. A few specific questions that come to my mind:

• VirtualBox's networking solution seemingly requires less privileges. Is this the result of a user-space implementation of various networking protocols similar to QEMU/KVM's usermode networking (just with more options) or are there privileged operations executed behind the scenes, allowed by the user's membership in the vboxusers group?

• Is QEMU/KVM's usermode networking inferior in any way to VirtualBox's NAT mode networking? According to the libvirt FAQ, usermode networking "has nonobvious limitations, so its usage is discouraged", but I could not find what those limitations are (other than being restricted to NAT). It seems perfectly fine to me for doing just a simple NAT (and in fact it seems to be the trivial if not only way that avoids the iptables modifications).

• How does the security and performance of the three NAT alternatives (VirtualBox NAT, QEMU/KVM "proper" NAT, QEMU/KVM usermode networking) compare to each other?

I noticed the following differences in the networking experience between QEMU/KVM (used through libvirt) and VirtualBox:

• For anything else than usermode or manual networking, QEMU/KVM needs a virbr0 network interface to be created and it adds a bunch of rules to iptables. VirtualBox, on the other hand, can operate both in NAT and bridged modes without touching iptables or creating any network interfaces.

• Probably related to the above, in non-root user sessions, QEMU/KVM only allows usermode networking, while VirtualBox supports most/all of the various networking modes even without root privileges.

I would like to understand the underlying reasons behind these differences and their implications. A few specific questions that come to my mind:

• VirtualBox's networking solution seemingly requires less privileges. Is this the result of a user-space implementation of various networking protocols similar to QEMU/KVM's usermode networking (just with more options) or are there privileged operations executed behind the scenes, allowed by the user's membership in the vboxusers group?

• Is QEMU/KVM's usermode networking inferior in any way to VirtualBox's NAT networking? According to the libvirt FAQ, usermode networking "has nonobvious limitations, so its usage is discouraged", but I could not find what those nonobvious limitations are. It seems perfectly fine to me for doing just a simple NAT (and in fact it seems to be the only/simplest way that avoids the iptables modifications).

I noticed the following differences in the networking experience between QEMU/KVM (used through libvirt) and VirtualBox:

• For anything else than usermode or manual networking, QEMU/KVM needs a virbr0 network interface to be created and it adds a bunch of rules to iptables. VirtualBox, on the other hand, can operate both in NAT and bridged modes without touching iptables or creating any network interfaces.

• Probably related to the above, in non-root user sessions, QEMU/KVM only allows usermode networking, while VirtualBox supports most/all of the various networking modes even without root privileges.

I would like to understand the underlying reasons behind these differences and their implications. A few specific questions that come to my mind:

• VirtualBox's networking solution seemingly requires less privileges. Is this the result of a user-space implementation of various networking protocols similar to QEMU/KVM's usermode networking (just with more options) or are there privileged operations executed behind the scenes, allowed by the user's membership in the vboxusers group?

• Is QEMU/KVM's usermode networking inferior in any way to VirtualBox's NAT networking? According to the libvirt FAQ, usermode networking "has nonobvious limitations, so its usage is discouraged", but I could not find what those nonobvious limitations are. It seems perfectly fine to me for doing just a simple NAT (and in fact it seems to be the trivial if not only way that avoids the iptables modifications).