feat: add TUN/TAP and netfilter to Linux kernel config

lightsofapollo · claude · lightsofapollo · commit e20843f268fc · 2026-04-02T16:34:17.000-06:00
Enable CONFIG_TUN and iptables/netfilter support in the vz Linux guest
kernel. Required for running Firecracker microVMs with tap networking
and NAT masquerade inside the vz host VM.

Bump vz-cli to v0.3.1.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/crates/Cargo.lock b/crates/Cargo.lock
diff --git a/crates/vz-cli/Cargo.toml b/crates/vz-cli/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "vz-cli"
-version = "0.3.0"
+version = "0.3.1"
 description = "CLI for managing containers and macOS VM sandboxes"
 edition.workspace = true
 rust-version.workspace = true
diff --git a/linux/vz-linux.config b/linux/vz-linux.config
@@ -36,6 +36,18 @@ CONFIG_NET_NS=y
 CONFIG_VETH=y
 CONFIG_BRIDGE=y
 
+# TUN/TAP (Firecracker uses tap devices for guest networking)
+CONFIG_TUN=y
+
+# Netfilter / iptables (required for NAT masquerade in proxy VMs)
+CONFIG_NETFILTER=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_NF_NAT=y
+CONFIG_IP_NF_IPTABLES=y
+CONFIG_IP_NF_FILTER=y
+CONFIG_IP_NF_NAT=y
+CONFIG_IP_NF_TARGET_MASQUERADE=y
+
 # Cgroups / namespaces
 CONFIG_NAMESPACES=y
 CONFIG_CGROUPS=y
