rvproxy
Rust-native microVM networking

Operational microVM networking.

rvproxy sits between the guest transport and the rest of the host: control plane, gateway services, forwarding, tracing, policy, and plugin-aware byte handling in one place.
Strict control plane Live guest gateway Traceable byte path
Read the docs Production readiness
Built for runtimes that need real gateway behavior, a local API, and evidence you can ship with. Native macOS VZ is the current production path; Firecracker stays on Lima for local development until native Linux KVM proof is collected.
Backends QEMU, Firecracker-compatible, and vfkit / VZ transport seams
Dataplane Gateway services, egress, forwarding, packet classification, plugin-aware bytes
Evidence Packet + daemon-socket tracing, audit events, stats, benches, fuzz targets, captured host proof
Why it exists

Most VM networking looks fine until lifecycle, visibility, and policy have to work together.

rvproxy is organized around the parts that usually become painful later: backend differences, drain behavior, forwarding state, packet visibility, and byte-path extensibility without turning the daemon into a black box.
Already implemented
  • Unix-socket control plane
  • ARP, DHCP, DNS, TCP, UDP, ICMP
  • Host-to-guest forwarding
  • Tracing and audit hooks
Still gating full backend parity
  • Native Linux Firecracker proof
  • Longer-running Firecracker soak
  • Native Linux cutover timing
  • Final candidate-commit evidence
Use the docs by task

Start from the work you actually have to do.

This site is meant to help two audiences quickly: people wiring the daemon into a runtime, and people trying to prove it is fit to operate.
01
Getting Started

Set up the workspace, validate configs, and run the daemon locally.

 02
Architecture

See how control plane, dataplane, backends, and plugins stay separate.

 03
Operations

Run smoke flows, use the local API, and capture native-host evidence.

 04
Plugins

Understand the bounded byte-path model, exports, and failure semantics.

 05
Production Readiness

Track the remaining gap between the current daemon and a release-quality claim.
Usable now
The daemon already has enough real surface area for serious integration work and a scoped production release on native macOS VZ/vfkit: local API, guest gateway, forwarding, byte audit, stats, and plugin-aware byte flow.
Still blocking full parity
Native Linux Firecracker proof, longer-running guest-real soak, and native-host cutover timing still separate the current implementation from a broad all-backend production-parity statement.