From nobody Mon Feb  9 01:49:07 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 205.139.110.120 as permitted sender) client-ip=205.139.110.120;
 envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-1.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1595510665; cv=none;
	d=zohomail.com; s=zohoarc;
	b=O6kam7adliPyh2xWu3UbqSIeDQFxJcDMEZJp+w7luFTBpxebX9gY89SS43sSoNBmssvamwEXsgkciR7Hastr+a0qMVgFQp7fvO8rItZ+Ht4lxa4/vFTniJPqrj51FxrDZm801IdL3vrE2xeCqKWSWyOe6uCt4XIpt2BvjbGoBd0=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1595510665;
 h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To;
	bh=qPwQIMRyIgg9GceK+NXMLKQxSt48J2gTtwHTMK9hQmU=;
	b=i2S+kxdJbk3YJzI9NXfJj0evfbvnBZ4VAWTQ6yV1h9zx5M4jSb5T4BCuczRls0e5zhlesNHnirOqMich/s3Sri7BfFIR3HiDU2Pq6IMPQ0vOuvWnS90azRntjCLXJmPMBq/y2lVU1Ft0H6I3Z2VwspGusDeAhyOKA4cEnBkgT98=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 205.139.110.120 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<pkrempa@redhat.com> (p=none dis=none)
 header.from=<pkrempa@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120]) by mx.zohomail.com
	with SMTPS id 1595510665706585.0456393622446;
 Thu, 23 Jul 2020 06:24:25 -0700 (PDT)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-43-GR8SKlmjOeOzXyc7rhJ31Q-1; Thu, 23 Jul 2020 09:22:28 -0400
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 998D3803324;
	Thu, 23 Jul 2020 13:22:22 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 7BE9C72683;
	Thu, 23 Jul 2020 13:22:22 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 4B297180530A;
	Thu, 23 Jul 2020 13:22:22 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 06NDMJj8028595 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 23 Jul 2020 09:22:19 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 09B2119D7C; Thu, 23 Jul 2020 13:22:19 +0000 (UTC)
Received: from speedmetal.redhat.com (unknown [10.40.208.37])
	by smtp.corp.redhat.com (Postfix) with ESMTP id A04B32E162
	for <libvir-list@redhat.com>; Thu, 23 Jul 2020 13:22:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1595510664;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=qPwQIMRyIgg9GceK+NXMLKQxSt48J2gTtwHTMK9hQmU=;
	b=EDbur/2H2n5/d3yGuIB/VlrhdpsPGV1ak8kImgBQ5KyA/1TDRldpgmfXm8yekpy/5OFAus
	4sS7F9O1Dd05NvPc7TtOQNJ+AHCVxPgf31ew1+wT4dADNctMTcAUdVX+rfFSKxs4jYyvnh
	kjPG9dx9wuq49ZdrGz5YoGeTD4kEZlo=
X-MC-Unique: GR8SKlmjOeOzXyc7rhJ31Q-1
From: Peter Krempa <pkrempa@redhat.com>
To: libvir-list@redhat.com
Subject: [PATCH 16/32] docs: formatdomain-devices: Split out <interface>
Date: Thu, 23 Jul 2020 15:21:21 +0200
Message-Id: 
 <611547f345ab3659abd2743aaae6f8d652185192.1595510131.git.pkrempa@redhat.com>
In-Reply-To: <cover.1595510131.git.pkrempa@redhat.com>
References: <cover.1595510131.git.pkrempa@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
---
 docs/formatdomain-devices-interface.rst | 1258 ++++++++++++++++++++++
 docs/formatdomain-devices.rst           | 1260 +----------------------
 docs/meson.build                        |    1 +
 3 files changed, 1260 insertions(+), 1259 deletions(-)
 create mode 100644 docs/formatdomain-devices-interface.rst

diff --git a/docs/formatdomain-devices-interface.rst b/docs/formatdomain-de=
vices-interface.rst
new file mode 100644
index 0000000000..c828e71df1
--- /dev/null
+++ b/docs/formatdomain-devices-interface.rst
@@ -0,0 +1,1258 @@
+:anchor:`<a id=3D"elementsNICS"/>`
+
+Network interfaces
+~~~~~~~~~~~~~~~~~~
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'direct' trustGuestRxFilters=3D'yes'>
+       <source dev=3D'eth0'/>
+       <mac address=3D'52:54:00:5d:c7:9e'/>
+       <boot order=3D'1'/>
+       <rom bar=3D'off'/>
+     </interface>
+   </devices>
+   ...
+
+There are several possibilities for specifying a network interface visible=
 to
+the guest. Each subsection below provides more details about common setup
+options.
+
+:since:`Since 1.2.10` ), the ``interface`` element property
+``trustGuestRxFilters`` provides the capability for the host to detect and=
 trust
+reports from the guest regarding changes to the interface mac address and
+receive filters by setting the attribute to ``yes``. The default setting f=
or the
+attribute is ``no`` for security reasons and support depends on the guest
+network device model as well as the type of connection on the host - curre=
ntly
+it is only supported for the virtio device model and for macvtap connectio=
ns on
+the host.
+
+Each ``<interface>`` element has an optional ``<address>`` sub-element tha=
t can
+tie the interface to a particular pci slot, with attribute ``type=3D'pci'`=
` as
+`documented above <#elementsAddress>`__.
+
+:since:`Since 6.6.0` , one can force libvirt to keep the provided MAC addr=
ess
+when it's in the reserved VMware range by adding a ``type=3D"static"`` att=
ribute
+to the ``<mac/>`` element. Note that this attribute is useless if the prov=
ided
+MAC address is outside of the reserved VMWare ranges.
+
+:anchor:`<a id=3D"elementsNICSVirtual"/>`
+
+Virtual network
+^^^^^^^^^^^^^^^
+
+**This is the recommended config for general guest connectivity on hosts w=
ith
+dynamic / wireless networking configs (or multi-host environments where th=
e host
+hardware details are described separately in a ``<network>`` definition
+:since:`Since 0.9.4` ).**
+
+Provides a connection whose details are described by the named network
+definition. Depending on the virtual network's "forward mode" configuratio=
n, the
+network may be totally isolated (no ``<forward>`` element given), NAT'ing =
to an
+explicit network device or to the default route (``<forward mode=3D'nat'>`=
`),
+routed with no NAT (``<forward mode=3D'route'/>``), or connected directly =
to one
+of the host's network interfaces (via macvtap) or bridge devices
+((``<forward       mode=3D'bridge|private|vepa|passthrough'/>`` :since:`Si=
nce
+0.9.4` )
+
+For networks with a forward mode of bridge, private, vepa, and passthrough=
, it
+is assumed that the host has any necessary DNS and DHCP services already s=
etup
+outside the scope of libvirt. In the case of isolated, nat, and routed net=
works,
+DHCP and DNS are provided on the virtual network by libvirt, and the IP ra=
nge
+can be determined by examining the virtual network config with
+'``virsh net-dumpxml [networkname]``'. There is one virtual network called
+'default' setup out of the box which does NAT'ing to the default route and=
 has
+an IP range of ``192.168.122.0/255.255.255.0``. Each guest will have an
+associated tun device created with a name of vnetN, which can also be over=
ridden
+with the <target> element (see `overriding the target
+element <#elementsNICSTargetOverride>`__).
+
+When the source of an interface is a network, a ``portgroup`` can be speci=
fied
+along with the name of the network; one network may have multiple portgrou=
ps
+defined, with each portgroup containing slightly different configuration
+information for different classes of network connections. :since:`Since 0.=
9.4` .
+
+When a guest is running an interface of type ``network`` may include a
+``portid`` attribute. This provides the UUID of an associated virNetworkPo=
rtPtr
+object that records the association between the domain interface and the
+network. This attribute is read-only since port objects are create and del=
eted
+automatically during startup and shutdown. :since:`Since 5.1.0`
+
+Also, similar to ``direct`` network connections (described below), a conne=
ction
+of type ``network`` may specify a ``virtualport`` element, with configurat=
ion
+data to be forwarded to a vepa (802.1Qbg) or 802.1Qbh compliant switch (
+:since:`Since 0.8.2` ), or to an Open vSwitch virtual switch ( :since:`Sin=
ce
+0.9.11` ).
+
+Since the actual type of switch may vary depending on the configuration in=
 the
+``<network>`` on the host, it is acceptable to omit the virtualport ``type=
``
+attribute, and specify attributes from multiple different virtualport type=
s (and
+also to leave out certain attributes); at domain startup time, a complete
+``<virtualport>`` element will be constructed by merging together the type=
 and
+attributes defined in the network and the portgroup referenced by the inte=
rface.
+The newly-constructed virtualport is a combination of them. The attributes=
 from
+lower virtualport can't make change on the ones defined in higher virtualp=
ort.
+Interface takes the highest priority, portgroup is lowest priority. (
+:since:`Since 0.10.0` ). For example, in order to work properly with both =
an
+802.1Qbh switch and an Open vSwitch switch, you may choose to specify no t=
ype,
+but both a ``profileid`` (in case the switch is 802.1Qbh) and an ``interfa=
ceid``
+(in case the switch is Open vSwitch) (you may also omit the other attribut=
es,
+such as managerid, typeid, or profileid, to be filled in from the network's
+``<virtualport>``). If you want to limit a guest to connecting only to cer=
tain
+types of switches, you can specify the virtualport type, but still omit so=
me/all
+of the parameters - in this case if the host's network has a different typ=
e of
+virtualport, connection of the interface will fail.
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+     </interface>
+     ...
+     <interface type=3D'network'>
+       <source network=3D'default' portgroup=3D'engineering'/>
+       <target dev=3D'vnet7'/>
+       <mac address=3D"00:11:22:33:44:55"/>
+       <virtualport>
+         <parameters instanceid=3D'09b11c53-8b5c-4eeb-8f00-d84eaa0aaa4f'/>
+       </virtualport>
+     </interface>
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsNICSBridge"/>`
+
+Bridge to LAN
+^^^^^^^^^^^^^
+
+**This is the recommended config for general guest connectivity on hosts w=
ith
+static wired networking configs.**
+
+Provides a bridge from the VM directly to the LAN. This assumes there is a
+bridge device on the host which has one or more of the hosts physical NICs
+attached. The guest VM will have an associated tun device created with a n=
ame of
+vnetN, which can also be overridden with the <target> element (see `overri=
ding
+the target element <#elementsNICSTargetOverride>`__). The tun device will =
be
+attached to the bridge. The IP range / network configuration is whatever i=
s used
+on the LAN. This provides the guest VM full incoming & outgoing net access=
 just
+like a physical machine.
+
+On Linux systems, the bridge device is normally a standard Linux host brid=
ge. On
+hosts that support Open vSwitch, it is also possible to connect to an Open
+vSwitch bridge device by adding a ``<virtualport type=3D'openvswitch'/>`` =
to the
+interface definition. ( :since:`Since 0.9.11` ). The Open vSwitch type
+virtualport accepts two parameters in its ``<parameters>`` element - an
+``interfaceid`` which is a standard uuid used to uniquely identify this
+particular interface to Open vSwitch (if you do not specify one, a random
+interfaceid will be generated for you when you first define the interface)=
, and
+an optional ``profileid`` which is sent to Open vSwitch as the interfaces
+"port-profile".
+
+::
+
+   ...
+   <devices>
+     ...
+     <interface type=3D'bridge'>
+       <source bridge=3D'br0'/>
+     </interface>
+     <interface type=3D'bridge'>
+       <source bridge=3D'br1'/>
+       <target dev=3D'vnet7'/>
+       <mac address=3D"00:11:22:33:44:55"/>
+     </interface>
+     <interface type=3D'bridge'>
+       <source bridge=3D'ovsbr'/>
+       <virtualport type=3D'openvswitch'>
+         <parameters profileid=3D'menial' interfaceid=3D'09b11c53-8b5c-4ee=
b-8f00-d84eaa0aaa4f'/>
+       </virtualport>
+     </interface>
+     ...
+   </devices>
+   ...
+
+On hosts that support Open vSwitch on the kernel side and have the Midonet=
 Host
+Agent configured, it is also possible to connect to the 'midonet' bridge d=
evice
+by adding a ``<virtualport type=3D'midonet'/>`` to the interface definitio=
n. (
+:since:`Since 1.2.13` ). The Midonet virtualport type requires an
+``interfaceid`` attribute in its ``<parameters>`` element. This interface =
id is
+the UUID that specifies which port in the virtual network topology will be=
 bound
+to the interface.
+
+::
+
+   ...
+   <devices>
+     ...
+     <interface type=3D'bridge'>
+       <source bridge=3D'br0'/>
+     </interface>
+     <interface type=3D'bridge'>
+       <source bridge=3D'br1'/>
+       <target dev=3D'vnet7'/>
+       <mac address=3D"00:11:22:33:44:55"/>
+     </interface>
+     <interface type=3D'bridge'>
+       <source bridge=3D'midonet'/>
+       <virtualport type=3D'midonet'>
+         <parameters interfaceid=3D'0b2d64da-3d0e-431e-afdd-804415d6ebbb'/>
+       </virtualport>
+     </interface>
+     ...
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsNICSSlirp"/>`
+
+Userspace SLIRP stack
+^^^^^^^^^^^^^^^^^^^^^
+
+Provides a virtual LAN with NAT to the outside world. The virtual network =
has
+DHCP & DNS services and will give the guest VM addresses starting from
+``10.0.2.15``. The default router will be ``10.0.2.2`` and the DNS server =
will
+be ``10.0.2.3``. This networking is the only option for unprivileged users=
 who
+need their VMs to have outgoing access. :since:`Since 3.8.0` it is possibl=
e to
+override the default network address by including an ``ip`` element specif=
ying
+an IPv4 address in its one mandatory attribute, ``address``. Optionally, a
+second ``ip`` element with a ``family`` attribute set to "ipv6" can be spe=
cified
+to add an IPv6 address to the interface. ``address``. Optionally, address
+``prefix`` can be specified.
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'user'/>
+     ...
+     <interface type=3D'user'>
+       <mac address=3D"00:11:22:33:44:55"/>
+       <ip family=3D'ipv4' address=3D'172.17.2.0' prefix=3D'24'/>
+       <ip family=3D'ipv6' address=3D'2001:db8:ac10:fd01::' prefix=3D'64'/>
+     </interface>
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsNICSEthernet"/>`
+
+Generic ethernet connection
+^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+Provides a means to use a new or existing tap device (or veth device pair,
+depening on the needs of the hypervisor driver) that is partially or wholly
+setup external to libvirt (either prior to the guest starting, or while the
+guest is being started via an optional script specified in the config).
+
+The name of the tap device can optionally be specified with the ``dev``
+attribute of the ``<target>`` element. If no target dev is specified, libv=
irt
+will create a new standard tap device with a name of the pattern "vnetN", =
where
+"N" is replaced with a number. If a target dev is specified and that device
+doesn't exist, then a new standard tap device will be created with the exa=
ct dev
+name given. If the specified target dev does exist, then that existing dev=
ice
+will be used. Usually some basic setup of the device is done by libvirt,
+including setting a MAC address, and the IFF_UP flag, but if the ``dev`` i=
s a
+pre-existing device, and the ``managed`` attribute of the ``target`` eleme=
nt is
+also set to "no" (the default value is "yes"), even this basic setup will =
not be
+performed - libvirt will simply pass the device on to the hypervisor with =
no
+setup at all. :since:`Since 5.7.0` Using managed=3D'no' with a pre-created=
 tap
+device is useful because it permits a virtual machine managed by an unpriv=
ileged
+libvirtd to have emulated network devices based on tap devices.
+
+After creating/opening the tap device, an optional shell script (given in =
the
+``path`` attribute of the ``<script>`` element) will be run. :since:`Since
+0.2.1` Also, after detaching/closing the tap device, an optional shell scr=
ipt
+(given in the ``path`` attribute of the ``<downscript>`` element) will be =
run.
+:since:`Since 5.1.0` These can be used to do whatever extra host network
+integration is required.
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'ethernet'>
+       <script path=3D'/etc/qemu-ifup-mynet'/>
+       <downscript path=3D'/etc/qemu-ifdown-mynet'/>
+     </interface>
+     ...
+     <interface type=3D'ethernet'>
+       <target dev=3D'mytap1' managed=3D'no'/>
+       <model type=3D'virtio'/>
+     </interface>
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsNICSDirect"/>`
+
+Direct attachment to physical interface
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+| Provides direct attachment of the virtual machine's NIC to the given phy=
sical
+  interface of the host. :since:`Since 0.7.7 (QEMU and KVM only)`
+| This setup requires the Linux macvtap driver to be available. :since:`(S=
ince
+  Linux 2.6.34.)` One of the modes 'vepa' ( `'Virtual Ethernet Port
+  Aggregator' <http://www.ieee802.org/1/files/public/docs2009/new-evb-cong=
don-vepa-modular-0709-v01.pdf>`__),
+  'bridge' or 'private' can be chosen for the operation mode of the macvtap
+  device, 'vepa' being the default mode. The individual modes cause the de=
livery
+  of packets to behave as follows:
+
+If the model type is set to ``virtio`` and interface's ``trustGuestRxFilte=
rs``
+attribute is set to ``yes``, changes made to the interface mac address,
+unicast/multicast receive filters, and vlan settings in the guest will be
+monitored and propagated to the associated macvtap device on the host (
+:since:`Since 1.2.10` ). If ``trustGuestRxFilters`` is not set, or is not
+supported for the device model in use, an attempted change to the mac addr=
ess
+originating from the guest side will result in a non-working network conne=
ction.
+
+``vepa``
+   All VMs' packets are sent to the external bridge. Packets whose destina=
tion
+   is a VM on the same host as where the packet originates from are sent b=
ack to
+   the host by the VEPA capable bridge (today's bridges are typically not =
VEPA
+   capable).
+``bridge``
+   Packets whose destination is on the same host as where they originate f=
rom
+   are directly delivered to the target macvtap device. Both origin and
+   destination devices need to be in bridge mode for direct delivery. If e=
ither
+   one of them is in ``vepa`` mode, a VEPA capable bridge is required.
+``private``
+   All packets are sent to the external bridge and will only be delivered =
to a
+   target VM on the same host if they are sent through an external router =
or
+   gateway and that device sends them back to the host. This procedure is
+   followed if either the source or destination device is in ``private`` m=
ode.
+``passthrough``
+   This feature attaches a virtual function of a SRIOV capable NIC directl=
y to a
+   VM without losing the migration capability. All packets are sent to the=
 VF/IF
+   of the configured network device. Depending on the capabilities of the =
device
+   additional prerequisites or limitations may apply; for example, on Linu=
x this
+   requires kernel 2.6.38 or newer. :since:`Since 0.9.2`
+
+::
+
+   ...
+   <devices>
+     ...
+     <interface type=3D'direct' trustGuestRxFilters=3D'no'>
+       <source dev=3D'eth0' mode=3D'vepa'/>
+     </interface>
+   </devices>
+   ...
+
+The network access of direct attached virtual machines can be managed by t=
he
+hardware switch to which the physical interface of the host machine is con=
nected
+to.
+
+The interface can have additional parameters as shown below, if the switch=
 is
+conforming to the IEEE 802.1Qbg standard. The parameters of the virtualport
+element are documented in more detail in the IEEE 802.1Qbg standard. The v=
alues
+are network specific and should be provided by the network administrator. =
In
+802.1Qbg terms, the Virtual Station Interface (VSI) represents the virtual
+interface of a virtual machine. :since:`Since 0.8.2`
+
+Please note that IEEE 802.1Qbg requires a non-zero value for the VLAN ID.
+
+``managerid``
+   The VSI Manager ID identifies the database containing the VSI type and
+   instance definitions. This is an integer value and the value 0 is reser=
ved.
+``typeid``
+   The VSI Type ID identifies a VSI type characterizing the network access=
. VSI
+   types are typically managed by network administrator. This is an integer
+   value.
+``typeidversion``
+   The VSI Type Version allows multiple versions of a VSI Type. This is an
+   integer value.
+``instanceid``
+   The VSI Instance ID Identifier is generated when a VSI instance (i.e. a
+   virtual interface of a virtual machine) is created. This is a globally =
unique
+   identifier.
+
+::
+
+   ...
+   <devices>
+     ...
+     <interface type=3D'direct'>
+       <source dev=3D'eth0.2' mode=3D'vepa'/>
+       <virtualport type=3D"802.1Qbg">
+         <parameters managerid=3D"11" typeid=3D"1193047" typeidversion=3D"=
2" instanceid=3D"09b11c53-8b5c-4eeb-8f00-d84eaa0aaa4f"/>
+       </virtualport>
+     </interface>
+   </devices>
+   ...
+
+The interface can have additional parameters as shown below if the switch =
is
+conforming to the IEEE 802.1Qbh standard. The values are network specific =
and
+should be provided by the network administrator. :since:`Since 0.8.2`
+
+``profileid``
+   The profile ID contains the name of the port profile that is to be appl=
ied to
+   this interface. This name is resolved by the port profile database into=
 the
+   network parameters from the port profile, and those network parameters =
will
+   be applied to this interface.
+
+::
+
+   ...
+   <devices>
+     ...
+     <interface type=3D'direct'>
+       <source dev=3D'eth0' mode=3D'private'/>
+       <virtualport type=3D'802.1Qbh'>
+         <parameters profileid=3D'finance'/>
+       </virtualport>
+     </interface>
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsNICSHostdev"/>`
+
+PCI Passthrough
+^^^^^^^^^^^^^^^
+
+A PCI network device (specified by the <source> element) is directly assig=
ned to
+the guest using generic device passthrough, after first optionally setting=
 the
+device's MAC address to the configured value, and associating the device w=
ith an
+802.1Qbh capable switch using an optionally specified <virtualport> elemen=
t (see
+the examples of virtualport given above for type=3D'direct' network device=
s). Note
+that - due to limitations in standard single-port PCI ethernet card driver
+design - only SR-IOV (Single Root I/O Virtualization) virtual function (VF)
+devices can be assigned in this manner; to assign a standard single-port P=
CI or
+PCIe ethernet card to a guest, use the traditional <hostdev> device defini=
tion
+and :since:`Since 0.9.11`
+
+To use VFIO device assignment rather than traditional/legacy KVM device
+assignment (VFIO is a new method of device assignment that is compatible w=
ith
+UEFI Secure Boot), a type=3D'hostdev' interface can have an optional ``dri=
ver``
+sub-element with a ``name`` attribute set to "vfio". To use legacy KVM dev=
ice
+assignment you can set ``name`` to "kvm" (or simply omit the ``<driver>``
+element, since "kvm" is currently the default). :since:`Since 1.0.5 (QEMU =
and
+KVM only, requires kernel 3.6 or newer)`
+
+Note that this "intelligent passthrough" of network devices is very simila=
r to
+the functionality of a standard <hostdev> device, the difference being tha=
t this
+method allows specifying a MAC address and <virtualport> for the passed-th=
rough
+device. If these capabilities are not required, if you have a standard
+single-port PCI, PCIe, or USB network card that doesn't support SR-IOV (and
+hence would anyway lose the configured MAC address during reset after being
+assigned to the guest domain), or if you are using a version of libvirt ol=
der
+than 0.9.11, you should use standard <hostdev> to assign the device to the=
 guest
+instead of <interface type=3D'hostdev'/>.
+
+Similar to the functionality of a standard <hostdev> device, when ``manage=
d`` is
+"yes", it is detached from the host before being passed on to the guest, a=
nd
+reattached to the host after the guest exits. If ``managed`` is omitted or=
 "no",
+the user is responsible to call ``virNodeDeviceDettach`` (or
+``virsh nodedev-detach``) before starting the guest or hot-plugging the de=
vice,
+and ``virNodeDeviceReAttach`` (or ``virsh nodedev-reattach``) after hot-un=
plug
+or stopping the guest.
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'hostdev' managed=3D'yes'>
+       <driver name=3D'vfio'/>
+       <source>
+         <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x07=
' function=3D'0x0'/>
+       </source>
+       <mac address=3D'52:54:00:6d:90:02'/>
+       <virtualport type=3D'802.1Qbh'>
+         <parameters profileid=3D'finance'/>
+       </virtualport>
+     </interface>
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsTeaming"/>`
+
+Teaming a virtio/hostdev NIC pair
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+:since:`Since 6.1.0 (QEMU and KVM only, requires QEMU 4.2.0 or newer and a=
 guest
+virtio-net driver supporting the "failover" feature, such as the one inclu=
ded in
+Linux kernel 4.18 and newer) ` The ``<teaming>`` element of two interfaces=
 can
+be used to connect them as a team/bond device in the guest (assuming proper
+support in the hypervisor and the guest network driver).
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'mybridge'/>
+       <mac address=3D'00:11:22:33:44:55'/>
+       <model type=3D'virtio'/>
+       <teaming type=3D'persistent'/>
+       <alias name=3D'ua-backup0'/>
+     </interface>
+     <interface type=3D'network'>
+       <source network=3D'hostdev-pool'/>
+       <mac address=3D'00:11:22:33:44:55'/>
+       <model type=3D'virtio'/>
+       <teaming type=3D'transient' persistent=3D'ua-backup0'/>
+     </interface>
+   </devices>
+   ...
+
+The ``<teaming>`` element required attribute ``type`` will be set to either
+``"persistent"`` to indicate a device that should always be present in the
+domain, or ``"transient"`` to indicate a device that may periodically be
+removed, then later re-added to the domain. When type=3D"transient", there=
 should
+be a second attribute to ``<teaming>`` called ``"persistent"`` - this attr=
ibute
+should be set to the alias name of the other device in the pair (the one t=
hat
+has ``<teaming       type=3D"persistent'/>``).
+
+In the particular case of QEMU, libvirt's ``<teaming>`` element is used to=
 setup
+a virtio-net "failover" device pair. For this setup, the persistent device=
 must
+be an interface with ``<model       type=3D"virtio"/>``, and the transient=
 device
+must be ``<interface type=3D'hostdev'/>`` (or ``<interface type=3D'network=
'/>``
+where the referenced network defines a pool of SRIOV VFs). The guest will =
then
+have a simple network team/bond device made of the virtio NIC + hostdev NIC
+pair. In this configuration, the higher-performing hostdev NIC will normal=
ly be
+preferred for all network traffic, but when the domain is migrated, QEMU w=
ill
+automatically unplug the VF from the guest, and then hotplug a similar dev=
ice
+once migration is completed; while migration is taking place, network traf=
fic
+will use the virtio NIC. (Of course the emulated virtio NIC and the hostde=
v NIC
+must be connected to the same subnet for bonding to work properly).
+
+NB1: Since you must know the alias name of the virtio NIC when configuring=
 the
+hostdev NIC, it will need to be manually set in the virtio NIC's configura=
tion
+(as with all other manually set alias names, this means it must start with
+"ua-").
+
+NB2: Currently the only implementation of the guest OS virtio-net driver
+supporting virtio-net failover requires that the MAC addresses of the virt=
io and
+hostdev NIC must match. Since that may not always be a requirement in the
+future, libvirt doesn't enforce this limitation - it is up to the
+person/management application that is creating the configuration to assure=
 the
+MAC addresses of the two devices match.
+
+NB3: Since the PCI addresses of the SRIOV VFs on the hosts that are the so=
urce
+and destination of the migration will almost certainly be different, either
+higher level management software will need to modify the ``<source>`` of t=
he
+hostdev NIC (``<interface type=3D'hostdev'>``) at the start of migration, =
or (a
+simpler solution) the configuration will need to use a libvirt "hostdev" v=
irtual
+network that maintains a pool of such devices, as is implied in the exampl=
e's
+use of the libvirt network named "hostdev-pool" - as long as the hostdev n=
etwork
+pools on both hosts have the same name, libvirt itself will take care of
+allocating an appropriate device on both ends of the migration. Similarly =
the
+XML for the virtio interface must also either work correctly unmodified on=
 both
+the source and destination of the migration (e.g. by connecting to the same
+bridge device on both hosts, or by using the same virtual network), or the
+management software must properly modify the interface XML during migratio=
n so
+that the virtio device remains connected to the same network segment befor=
e and
+after migration.
+
+:anchor:`<a id=3D"elementsNICSMulticast"/>`
+
+Multicast tunnel
+^^^^^^^^^^^^^^^^
+
+A multicast group is setup to represent a virtual network. Any VMs whose n=
etwork
+devices are in the same multicast group can talk to each other even across
+hosts. This mode is also available to unprivileged users. There is no defa=
ult
+DNS or DHCP support and no outgoing network access. To provide outgoing ne=
twork
+access, one of the VMs should have a 2nd NIC which is connected to one of =
the
+first 4 network types and do the appropriate routing. The multicast protoc=
ol is
+compatible with that used by user mode linux guests too. The source addres=
s used
+must be from the multicast address block.
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'mcast'>
+       <mac address=3D'52:54:00:6d:90:01'/>
+       <source address=3D'230.0.0.1' port=3D'5558'/>
+     </interface>
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsNICSTCP"/>`
+
+TCP tunnel
+^^^^^^^^^^
+
+A TCP client/server architecture provides a virtual network. One VM provid=
es the
+server end of the network, all other VMS are configured as clients. All ne=
twork
+traffic is routed between the VMs via the server. This mode is also availa=
ble to
+unprivileged users. There is no default DNS or DHCP support and no outgoing
+network access. To provide outgoing network access, one of the VMs should =
have a
+2nd NIC which is connected to one of the first 4 network types and do the
+appropriate routing.
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'server'>
+       <mac address=3D'52:54:00:22:c9:42'/>
+       <source address=3D'192.168.0.1' port=3D'5558'/>
+     </interface>
+     ...
+     <interface type=3D'client'>
+       <mac address=3D'52:54:00:8b:c9:51'/>
+       <source address=3D'192.168.0.1' port=3D'5558'/>
+     </interface>
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsNICSUDP"/>`
+
+UDP unicast tunnel
+^^^^^^^^^^^^^^^^^^
+
+A UDP unicast architecture provides a virtual network which enables connec=
tions
+between QEMU instances using QEMU's UDP infrastructure. The xml "source" a=
ddress
+is the endpoint address to which the UDP socket packets will be sent from =
the
+host running QEMU. The xml "local" address is the address of the interface=
 from
+which the UDP socket packets will originate from the QEMU host. :since:`Si=
nce
+1.2.20`
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'udp'>
+       <mac address=3D'52:54:00:22:c9:42'/>
+       <source address=3D'127.0.0.1' port=3D'11115'>
+         <local address=3D'127.0.0.1' port=3D'11116'/>
+       </source>
+     </interface>
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsNICSModel"/>`
+
+Setting the NIC model
+^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet1'/>
+       <model type=3D'ne2k_pci'/>
+     </interface>
+   </devices>
+   ...
+
+For hypervisors which support this, you can set the model of emulated netw=
ork
+interface card.
+
+The values for ``type`` aren't defined specifically by libvirt, but by wha=
t the
+underlying hypervisor supports (if any). For QEMU and KVM you can get a li=
st of
+supported models with these commands:
+
+::
+
+   qemu -net nic,model=3D? /dev/null
+   qemu-kvm -net nic,model=3D? /dev/null
+
+Typical values for QEMU and KVM include: ne2k_isa i82551 i82557b i82559er
+ne2k_pci pcnet rtl8139 e1000 virtio. :since:`Since 5.2.0` ,
+``virtio-transitional`` and ``virtio-non-transitional`` values are support=
ed.
+See `Virtio transitional devices <#elementsVirtioTransitional>`__ for more
+details.
+
+:anchor:`<a id=3D"elementsDriverBackendOptions"/>`
+
+Setting NIC driver-specific options
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet1'/>
+       <model type=3D'virtio'/>
+       <driver name=3D'vhost' txmode=3D'iothread' ioeventfd=3D'on' event_i=
dx=3D'off' queues=3D'5' rx_queue_size=3D'256' tx_queue_size=3D'256'>
+         <host csum=3D'off' gso=3D'off' tso4=3D'off' tso6=3D'off' ecn=3D'o=
ff' ufo=3D'off' mrg_rxbuf=3D'off'/>
+         <guest csum=3D'off' tso4=3D'off' tso6=3D'off' ecn=3D'off' ufo=3D'=
off'/>
+       </driver>
+       </interface>
+   </devices>
+   ...
+
+Some NICs may have tunable driver-specific options. These are set as attri=
butes
+of the ``driver`` sub-element of the interface definition. Currently the
+following attributes are available for the ``"virtio"`` NIC driver:
+
+``name``
+   The optional ``name`` attribute forces which type of backend driver to =
use.
+   The value can be either 'qemu' (a user-space backend) or 'vhost' (a ker=
nel
+   backend, which requires the vhost module to be provided by the kernel);=
 an
+   attempt to require the vhost driver without kernel support will be reje=
cted.
+   If this attribute is not present, then the domain defaults to 'vhost' if
+   present, but silently falls back to 'qemu' without error. :since:`Since=
 0.8.8
+   (QEMU and KVM only)`
+   For interfaces of type=3D'hostdev' (PCI passthrough devices) the ``name=
``
+   attribute can optionally be set to "vfio" or "kvm". "vfio" tells libvir=
t to
+   use VFIO device assignment rather than traditional KVM device assignment
+   (VFIO is a new method of device assignment that is compatible with UEFI
+   Secure Boot), and "kvm" tells libvirt to use the legacy device assignme=
nt
+   performed directly by the kvm kernel module (the default is currently "=
kvm",
+   but is subject to change). :since:`Since 1.0.5 (QEMU and KVM only, requ=
ires
+   kernel 3.6 or newer)`
+   For interfaces of type=3D'vhostuser', the ``name`` attribute is ignored=
. The
+   backend driver used is always vhost-user.
+``txmode``
+   The ``txmode`` attribute specifies how to handle transmission of packet=
s when
+   the transmit buffer is full. The value can be either 'iothread' or 'tim=
er'.
+   :since:`Since 0.8.8 (QEMU and KVM only)`
+   If set to 'iothread', packet tx is all done in an iothread in the botto=
m half
+   of the driver (this option translates into adding "tx=3Dbh" to the qemu
+   commandline -device virtio-net-pci option).
+   If set to 'timer', tx work is done in qemu, and if there is more tx dat=
a than
+   can be sent at the present time, a timer is set before qemu moves on to=
 do
+   other things; when the timer fires, another attempt is made to send more
+   data.
+   The resulting difference, according to the qemu developer who added the
+   option is: "bh makes tx more asynchronous and reduces latency, but
+   potentially causes more processor bandwidth contention since the CPU do=
ing
+   the tx isn't necessarily the CPU where the guest generated the packets."
+   **In general you should leave this option alone, unless you are very ce=
rtain
+   you know what you are doing.**
+``ioeventfd``
+   This optional attribute allows users to set `domain I/O asynchronous
+   handling <https://patchwork.kernel.org/patch/43390/>`__ for interface d=
evice.
+   The default is left to the discretion of the hypervisor. Accepted value=
s are
+   "on" and "off". Enabling this allows qemu to execute VM while a separate
+   thread handles I/O. Typically guests experiencing high system CPU utili=
zation
+   during I/O will benefit from this. On the other hand, on overloaded hos=
t it
+   could increase guest I/O latency. :since:`Since 0.9.3 (QEMU and KVM onl=
y)`
+   **In general you should leave this option alone, unless you are very ce=
rtain
+   you know what you are doing.**
+``event_idx``
+   The ``event_idx`` attribute controls some aspects of device event proce=
ssing.
+   The value can be either 'on' or 'off' - if it is on, it will reduce the
+   number of interrupts and exits for the guest. The default is determined=
 by
+   QEMU; usually if the feature is supported, default is on. In case there=
 is a
+   situation where this behavior is suboptimal, this attribute provides a =
way to
+   force the feature off. :since:`Since 0.9.5 (QEMU and KVM only)`
+   **In general you should leave this option alone, unless you are very ce=
rtain
+   you know what you are doing.**
+``queues``
+   The optional ``queues`` attribute controls the number of queues to be u=
sed
+   for either `Multiqueue
+   virtio-net <https://www.linux-kvm.org/page/Multiqueue>`__ or
+   `vhost-user <#elementVhostuser>`__ network interfaces. Use of multiple =
packet
+   processing queues requires the interface having the
+   ``<model type=3D'virtio'/>`` element. Each queue will potentially be ha=
ndled by
+   a different processor, resulting in much higher throughput.
+   :since:`virtio-net since 1.0.6 (QEMU and KVM only)` :since:`vhost-user =
since
+   1.2.17 (QEMU and KVM only)`
+``rx_queue_size``
+   The optional ``rx_queue_size`` attribute controls the size of virtio ri=
ng for
+   each queue as described above. The default value is hypervisor dependen=
t and
+   may change across its releases. Moreover, some hypervisors may pose some
+   restrictions on actual value. For instance, latest QEMU (as of 2016-09-=
01)
+   requires value to be a power of two from [256, 1024] range. :since:`Sin=
ce
+   2.3.0 (QEMU and KVM only)`
+   **In general you should leave this option alone, unless you are very ce=
rtain
+   you know what you are doing.**
+``tx_queue_size``
+   The optional ``tx_queue_size`` attribute controls the size of virtio ri=
ng for
+   each queue as described above. The default value is hypervisor dependen=
t and
+   may change across its releases. Moreover, some hypervisors may pose some
+   restrictions on actual value. For instance, QEMU v2.9 requires value to=
 be a
+   power of two from [256, 1024] range. In addition to that, this may work=
 only
+   for a subset of interface types, e.g. aforementioned QEMU enables this =
option
+   only for ``vhostuser`` type. :since:`Since 3.7.0 (QEMU and KVM only)`
+   **In general you should leave this option alone, unless you are very ce=
rtain
+   you know what you are doing.**
+virtio options
+   For virtio interfaces, `Virtio-specific options <#elementsVirtio>`__ ca=
n also
+   be set. ( :since:`Since 3.5.0` )
+
+Offloading options for the host and guest can be configured using the foll=
owing
+sub-elements:
+
+``host``
+   The ``csum``, ``gso``, ``tso4``, ``tso6``, ``ecn`` and ``ufo`` attribut=
es
+   with possible values ``on`` and ``off`` can be used to turn off host
+   offloading options. By default, the supported offloads are enabled by Q=
EMU.
+   :since:`Since 1.2.9 (QEMU only)` The ``mrg_rxbuf`` attribute can be use=
d to
+   control mergeable rx buffers on the host side. Possible values are ``on=
``
+   (default) and ``off``. :since:`Since 1.2.13 (QEMU only)`
+``guest``
+   The ``csum``, ``tso4``, ``tso6``, ``ecn`` and ``ufo`` attributes with
+   possible values ``on`` and ``off`` can be used to turn off guest offloa=
ding
+   options. By default, the supported offloads are enabled by QEMU.
+   :since:`Since 1.2.9 (QEMU only)`
+
+:anchor:`<a id=3D"elementsBackendOptions"/>`
+
+Setting network backend-specific options
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet1'/>
+       <model type=3D'virtio'/>
+       <backend tap=3D'/dev/net/tun' vhost=3D'/dev/vhost-net'/>
+       <driver name=3D'vhost' txmode=3D'iothread' ioeventfd=3D'on' event_i=
dx=3D'off' queues=3D'5'/>
+       <tune>
+         <sndbuf>1600</sndbuf>
+       </tune>
+     </interface>
+   </devices>
+   ...
+
+For tuning the backend of the network, the ``backend`` element can be used=
. The
+``vhost`` attribute can override the default vhost device path
+(``/dev/vhost-net``) for devices with ``virtio`` model. The ``tap`` attrib=
ute
+overrides the tun/tap device path (default: ``/dev/net/tun``) for network =
and
+bridge interfaces. This does not work in session mode. :since:`Since 1.2.9`
+
+For tap devices there is also ``sndbuf`` element which can adjust the size=
 of
+send buffer in the host. :since:`Since 0.8.8`
+
+:anchor:`<a id=3D"elementsNICSTargetOverride"/>`
+
+Overriding the target element
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet1'/>
+     </interface>
+   </devices>
+   ...
+
+If no target is specified, certain hypervisors will automatically generate=
 a
+name for the created tun device. This name can be manually specified, howe=
ver
+the name *should not start with either 'vnet', 'vif', 'macvtap', or 'macvl=
an'*,
+which are prefixes reserved by libvirt and certain hypervisors. Manually
+specified targets using these prefixes may be ignored.
+
+Note that for LXC containers, this defines the name of the interface on th=
e host
+side. :since:`Since 1.2.7` , to define the name of the device on the guest=
 side,
+the ``guest`` element should be used, as in the following snippet:
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <guest dev=3D'myeth'/>
+     </interface>
+   </devices>
+   ...
+
+:anchor:`<a id=3D"elementsNICSBoot"/>`
+
+Specifying boot order
+^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet1'/>
+       <boot order=3D'1'/>
+     </interface>
+   </devices>
+   ...
+
+For hypervisors which support this, you can set a specific NIC to be used =
for
+network boot. The ``order`` attribute determines the order in which device=
s will
+be tried during boot sequence. The per-device ``boot`` elements cannot be =
used
+together with general boot elements in `BIOS bootloader <#elementsOSBIOS>`=
__
+section. :since:`Since 0.8.8`
+
+:anchor:`<a id=3D"elementsNICSROM"/>`
+
+Interface ROM BIOS configuration
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet1'/>
+       <rom bar=3D'on' file=3D'/etc/fake/boot.bin'/>
+     </interface>
+   </devices>
+   ...
+
+For hypervisors which support this, you can change how a PCI Network devic=
e's
+ROM is presented to the guest. The ``bar`` attribute can be set to "on" or
+"off", and determines whether or not the device's ROM will be visible in t=
he
+guest's memory map. (In PCI documentation, the "rombar" setting controls t=
he
+presence of the Base Address Register for the ROM). If no rom bar is speci=
fied,
+the qemu default will be used (older versions of qemu used a default of "o=
ff",
+while newer qemus have a default of "on"). The optional ``file`` attribute=
 is
+used to point to a binary file to be presented to the guest as the device'=
s ROM
+BIOS. This can be useful to provide an alternative boot ROM for a network
+device. :since:`Since 0.9.10 (QEMU and KVM only)` .
+
+:anchor:`<a id=3D"elementDomain"/>`
+
+Setting up a network backend in a driver domain
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     ...
+     <interface type=3D'bridge'>
+       <source bridge=3D'br0'/>
+       <backenddomain name=3D'netvm'/>
+     </interface>
+     ...
+   </devices>
+   ...
+
+The optional ``backenddomain`` element allows specifying a backend domain =
(aka
+driver domain) for the interface. Use the ``name`` attribute to specify the
+backend domain name. You can use it to create a direct network link between
+domains (so data will not go through host system). Use with type 'ethernet=
' to
+create plain network link, or with type 'bridge' to connect to a bridge in=
side
+the backend domain. :since:`Since 1.2.13 (Xen only)`
+
+:anchor:`<a id=3D"elementQoS"/>`
+
+Quality of service
+^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet0'/>
+       <bandwidth>
+         <inbound average=3D'1000' peak=3D'5000' floor=3D'200' burst=3D'10=
24'/>
+         <outbound average=3D'128' peak=3D'256' burst=3D'256'/>
+       </bandwidth>
+     </interface>
+   </devices>
+   ...
+
+This part of interface XML provides setting quality of service. Incoming a=
nd
+outgoing traffic can be shaped independently. The ``bandwidth`` element an=
d its
+child elements are described in the `QoS <formatnetwork.html#elementQoS>`__
+section of the Network XML.
+
+:anchor:`<a id=3D"elementVlanTag"/>`
+
+Setting VLAN tag (on supported network types only)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'bridge'>
+       <vlan>
+         <tag id=3D'42'/>
+       </vlan>
+       <source bridge=3D'ovsbr0'/>
+       <virtualport type=3D'openvswitch'>
+         <parameters interfaceid=3D'09b11c53-8b5c-4eeb-8f00-d84eaa0aaa4f'/>
+       </virtualport>
+     </interface>
+     <interface type=3D'bridge'>
+       <vlan trunk=3D'yes'>
+         <tag id=3D'42'/>
+         <tag id=3D'123' nativeMode=3D'untagged'/>
+       </vlan>
+       ...
+     </interface>
+   </devices>
+   ...
+
+If (and only if) the network connection used by the guest supports VLAN ta=
gging
+transparent to the guest, an optional ``<vlan>`` element can specify one o=
r more
+VLAN tags to apply to the guest's network traffic :since:`Since 0.10.0` .
+Network connections that support guest-transparent VLAN tagging include 1)
+type=3D'bridge' interfaces connected to an Open vSwitch bridge :since:`Sin=
ce
+0.10.0` , 2) SRIOV Virtual Functions (VF) used via type=3D'hostdev' (direc=
t device
+assignment) :since:`Since 0.10.0` , and 3) SRIOV VFs used via type=3D'dire=
ct' with
+mode=3D'passthrough' (macvtap "passthru" mode) :since:`Since 1.3.5` . All =
other
+connection types, including standard linux bridges and libvirt's own virtu=
al
+networks, **do not** support it. 802.1Qbh (vn-link) and 802.1Qbg (VEPA) sw=
itches
+provide their own way (outside of libvirt) to tag guest traffic onto a spe=
cific
+VLAN. Each tag is given in a separate ``<tag>`` subelement of ``<vlan>`` (=
for
+example: ``<tag       id=3D'42'/>``). For VLAN trunking of multiple tags (=
which is
+supported only on Open vSwitch connections), multiple ``<tag>`` subelement=
s can
+be specified, which implies that the user wants to do VLAN trunking on the
+interface for all the specified tags. In the case that VLAN trunking of a =
single
+tag is desired, the optional attribute ``trunk=3D'yes'`` can be added to t=
he
+toplevel ``<vlan>`` element to differentiate trunking of a single tag from
+normal tagging.
+
+For network connections using Open vSwitch it is also possible to configure
+'native-tagged' and 'native-untagged' VLAN modes :since:`Since 1.1.0.` Thi=
s is
+done with the optional ``nativeMode`` attribute on the ``<tag>`` subelemen=
t:
+``nativeMode`` may be set to 'tagged' or 'untagged'. The ``id`` attribute =
of the
+``<tag>`` subelement containing ``nativeMode`` sets which VLAN is consider=
ed to
+be the "native" VLAN for this interface, and the ``nativeMode`` attribute
+determines whether or not traffic for that VLAN will be tagged.
+
+:anchor:`<a id=3D"elementPort"/>`
+
+Isolating guests's network traffic from each other
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <port isolated=3D'yes'/>
+     </interface>
+   </devices>
+   ...
+
+:since:`Since 6.1.0.` The ``port`` element property ``isolated``, when set=
 to
+``yes`` (default setting is ``no``) is used to isolate this interface's ne=
twork
+traffic from that of other guest interfaces connected to the same network =
that
+also have ``<port isolated=3D'yes'/>``. This setting is only supported for
+emulated interface devices that use a standard tap device to connect to the
+network via a Linux host bridge. This property can be inherited from a lib=
virt
+network, so if all guests that will be connected to the network should be
+isolated, it is better to put the setting in the network configuration. (N=
B:
+this only prevents guests that have ``isolated=3D'yes'`` from communicatin=
g with
+each other; if there is a guest on the same bridge that doesn't have
+``isolated=3D'yes'``, even the isolated guests will be able to communicate=
 with
+it.)
+
+:anchor:`<a id=3D"elementLink"/>`
+
+Modifying virtual link state
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet0'/>
+       <link state=3D'down'/>
+     </interface>
+   </devices>
+   ...
+
+This element provides means of setting state of the virtual network link.
+Possible values for attribute ``state`` are ``up`` and ``down``. If ``down=
`` is
+specified as the value, the interface behaves as if it had the network cab=
le
+disconnected. Default behavior if this element is unspecified is to have t=
he
+link state ``up``. :since:`Since 0.9.5`
+
+:anchor:`<a id=3D"mtu"/>`
+
+MTU configuration
+^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet0'/>
+       <mtu size=3D'1500'/>
+     </interface>
+   </devices>
+   ...
+
+This element provides means of setting MTU of the virtual network link.
+Currently there is just one attribute ``size`` which accepts a non-negative
+integer which specifies the MTU size for the interface. :since:`Since 3.1.=
0`
+
+:anchor:`<a id=3D"coalesce"/>`
+
+Coalesce settings
+^^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet0'/>
+       <coalesce>
+         <rx>
+           <frames max=3D'7'/>
+         </rx>
+       </coalesce>
+     </interface>
+   </devices>
+   ...
+
+This element provides means of setting coalesce settings for some interface
+devices (currently only type ``network`` and ``bridge``. Currently there i=
s just
+one attribute, ``max``, to tweak, in element ``frames`` for the ``rx`` gro=
up,
+which accepts a non-negative integer that specifies the maximum number of
+packets that will be received before an interrupt. :since:`Since 3.3.0`
+
+:anchor:`<a id=3D"ipconfig"/>`
+
+IP configuration
+^^^^^^^^^^^^^^^^
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'network'>
+       <source network=3D'default'/>
+       <target dev=3D'vnet0'/>
+       <ip address=3D'192.168.122.5' prefix=3D'24'/>
+       <ip address=3D'192.168.122.5' prefix=3D'24' peer=3D'10.0.0.10'/>
+       <route family=3D'ipv4' address=3D'192.168.122.0' prefix=3D'24' gate=
way=3D'192.168.122.1'/>
+       <route family=3D'ipv4' address=3D'192.168.122.8' gateway=3D'192.168=
.122.1'/>
+     </interface>
+     ...
+     <hostdev mode=3D'capabilities' type=3D'net'>
+       <source>
+         <interface>eth0</interface>
+       </source>
+       <ip address=3D'192.168.122.6' prefix=3D'24'/>
+       <route family=3D'ipv4' address=3D'192.168.122.0' prefix=3D'24' gate=
way=3D'192.168.122.1'/>
+       <route family=3D'ipv4' address=3D'192.168.122.8' gateway=3D'192.168=
.122.1'/>
+     </hostdev>
+     ...
+   </devices>
+   ...
+
+:since:`Since 1.2.12` network devices and hostdev devices with network
+capabilities can optionally be provided one or more IP addresses to set on=
 the
+network device in the guest. Note that some hypervisors or network device =
types
+will simply ignore them or only use the first one. The ``family`` attribut=
e can
+be set to either ``ipv4`` or ``ipv6``, and the ``address`` attribute conta=
ins
+the IP address. The optional ``prefix`` is the number of 1 bits in the net=
mask,
+and will be automatically set if not specified - for IPv4 the default pref=
ix is
+determined according to the network "class" (A, B, or C - see RFC870), and=
 for
+IPv6 the default prefix is 64. The optional ``peer`` attribute holds the IP
+address of the other end of a point-to-point network device :since:`(since
+2.1.0)` .
+
+:since:`Since 1.2.12` route elements can also be added to define IP routes=
 to
+add in the guest. The attributes of this element are described in the
+documentation for the ``route`` element in `network
+definitions <formatnetwork.html#elementsStaticroute>`__. This is used by t=
he LXC
+driver.
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'ethernet'>
+       <source/>
+         <ip address=3D'192.168.123.1' prefix=3D'24'/>
+         <ip address=3D'10.0.0.10' prefix=3D'24' peer=3D'192.168.122.5'/>
+         <route family=3D'ipv4' address=3D'192.168.42.0' prefix=3D'24' gat=
eway=3D'192.168.123.4'/>
+       <source/>
+       ...
+     </interface>
+     ...
+   </devices>
+   ...
+
+:since:`Since 2.1.0` network devices of type "ethernet" can optionally be
+provided one or more IP addresses and one or more routes to set on the **h=
ost**
+side of the network device. These are configured as subelements of the
+``<source>`` element of the interface, and have the same attributes as the
+similarly named elements used to configure the guest side of the interface
+(described above).
+
+:anchor:`<a id=3D"elementVhostuser"/>`
+
+vhost-user interface
+^^^^^^^^^^^^^^^^^^^^
+
+:since:`Since 1.2.7` the vhost-user enables the communication between a QE=
MU
+virtual machine and other userspace process using the Virtio transport pro=
tocol.
+A char dev (e.g. Unix socket) is used for the control plane, while the data
+plane is based on shared memory.
+
+::
+
+   ...
+   <devices>
+     <interface type=3D'vhostuser'>
+       <mac address=3D'52:54:00:3b:83:1a'/>
+       <source type=3D'unix' path=3D'/tmp/vhost1.sock' mode=3D'server'/>
+       <model type=3D'virtio'/>
+     </interface>
+     <interface type=3D'vhostuser'>
+       <mac address=3D'52:54:00:3b:83:1b'/>
+       <source type=3D'unix' path=3D'/tmp/vhost2.sock' mode=3D'client'>
+         <reconnect enabled=3D'yes' timeout=3D'10'/>
+       </source>
+       <model type=3D'virtio'/>
+       <driver queues=3D'5'/>
+     </interface>
+   </devices>
+   ...
+
+The ``<source>`` element has to be specified along with the type of char d=
evice.
+Currently, only type=3D'unix' is supported, where the path (the directory =
path of
+the socket) and mode attributes are required. Both ``mode=3D'server'`` and
+``mode=3D'client'`` are supported. vhost-user requires the virtio model ty=
pe, thus
+the ``<model>`` element is mandatory. :since:`Since 4.1.0` the element has=
 an
+optional child element ``reconnect`` which configures reconnect timeout if=
 the
+connection is lost. It has two attributes ``enabled`` (which accepts ``yes=
`` and
+``no``) and ``timeout`` which specifies the amount of seconds after which
+hypervisor tries to reconnect.
+
+:anchor:`<a id=3D"elementNwfilter"/>`
+
+Traffic filtering with NWFilter
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+:since:`Since 0.8.0` an ``nwfilter`` profile can be assigned to a domain
+interface, which allows configuring traffic filter rules for the virtual
+machine. See the `nwfilter <formatnwfilter.html>`__ documentation for more
+complete details.
+
+::
+
+   ...
+   <devices>
+     <interface ...>
+       ...
+       <filterref filter=3D'clean-traffic'/>
+     </interface>
+     <interface ...>
+       ...
+       <filterref filter=3D'myfilter'>
+         <parameter name=3D'IP' value=3D'104.207.129.11'/>
+         <parameter name=3D'IP6_ADDR' value=3D'2001:19f0:300:2102::'/>
+         <parameter name=3D'IP6_MASK' value=3D'64'/>
+         ...
+       </filterref>
+     </interface>
+   </devices>
+   ...
+
+The ``filter`` attribute specifies the name of the nwfilter to use. Option=
al
+``<parameter>`` elements may be specified for passing additional info to t=
he
+nwfilter via the ``name`` and ``value`` attributes. See the
+`nwfilter <formatnwfilter.html#nwfconceptsvars>`__ docs for info on parame=
ters.
diff --git a/docs/formatdomain-devices.rst b/docs/formatdomain-devices.rst
index 4b5391f77b..4334feb428 100644
--- a/docs/formatdomain-devices.rst
+++ b/docs/formatdomain-devices.rst
@@ -48,1265 +48,7 @@ following characters: ``[a-zA-Z0-9_-]``. :since:`Since=
 3.9.0`
 .. include:: formatdomain-devices-hostdev.rst
 .. include:: formatdomain-devices-redirdev.rst
 .. include:: formatdomain-devices-smartcard.rst
-
-:anchor:`<a id=3D"elementsNICS"/>`
-
-Network interfaces
-~~~~~~~~~~~~~~~~~~
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'direct' trustGuestRxFilters=3D'yes'>
-       <source dev=3D'eth0'/>
-       <mac address=3D'52:54:00:5d:c7:9e'/>
-       <boot order=3D'1'/>
-       <rom bar=3D'off'/>
-     </interface>
-   </devices>
-   ...
-
-There are several possibilities for specifying a network interface visible=
 to
-the guest. Each subsection below provides more details about common setup
-options.
-
-:since:`Since 1.2.10` ), the ``interface`` element property
-``trustGuestRxFilters`` provides the capability for the host to detect and=
 trust
-reports from the guest regarding changes to the interface mac address and
-receive filters by setting the attribute to ``yes``. The default setting f=
or the
-attribute is ``no`` for security reasons and support depends on the guest
-network device model as well as the type of connection on the host - curre=
ntly
-it is only supported for the virtio device model and for macvtap connectio=
ns on
-the host.
-
-Each ``<interface>`` element has an optional ``<address>`` sub-element tha=
t can
-tie the interface to a particular pci slot, with attribute ``type=3D'pci'`=
` as
-`documented above <#elementsAddress>`__.
-
-:since:`Since 6.6.0` , one can force libvirt to keep the provided MAC addr=
ess
-when it's in the reserved VMware range by adding a ``type=3D"static"`` att=
ribute
-to the ``<mac/>`` element. Note that this attribute is useless if the prov=
ided
-MAC address is outside of the reserved VMWare ranges.
-
-:anchor:`<a id=3D"elementsNICSVirtual"/>`
-
-Virtual network
-^^^^^^^^^^^^^^^
-
-**This is the recommended config for general guest connectivity on hosts w=
ith
-dynamic / wireless networking configs (or multi-host environments where th=
e host
-hardware details are described separately in a ``<network>`` definition
-:since:`Since 0.9.4` ).**
-
-Provides a connection whose details are described by the named network
-definition. Depending on the virtual network's "forward mode" configuratio=
n, the
-network may be totally isolated (no ``<forward>`` element given), NAT'ing =
to an
-explicit network device or to the default route (``<forward mode=3D'nat'>`=
`),
-routed with no NAT (``<forward mode=3D'route'/>``), or connected directly =
to one
-of the host's network interfaces (via macvtap) or bridge devices
-((``<forward       mode=3D'bridge|private|vepa|passthrough'/>`` :since:`Si=
nce
-0.9.4` )
-
-For networks with a forward mode of bridge, private, vepa, and passthrough=
, it
-is assumed that the host has any necessary DNS and DHCP services already s=
etup
-outside the scope of libvirt. In the case of isolated, nat, and routed net=
works,
-DHCP and DNS are provided on the virtual network by libvirt, and the IP ra=
nge
-can be determined by examining the virtual network config with
-'``virsh net-dumpxml [networkname]``'. There is one virtual network called
-'default' setup out of the box which does NAT'ing to the default route and=
 has
-an IP range of ``192.168.122.0/255.255.255.0``. Each guest will have an
-associated tun device created with a name of vnetN, which can also be over=
ridden
-with the <target> element (see `overriding the target
-element <#elementsNICSTargetOverride>`__).
-
-When the source of an interface is a network, a ``portgroup`` can be speci=
fied
-along with the name of the network; one network may have multiple portgrou=
ps
-defined, with each portgroup containing slightly different configuration
-information for different classes of network connections. :since:`Since 0.=
9.4` .
-
-When a guest is running an interface of type ``network`` may include a
-``portid`` attribute. This provides the UUID of an associated virNetworkPo=
rtPtr
-object that records the association between the domain interface and the
-network. This attribute is read-only since port objects are create and del=
eted
-automatically during startup and shutdown. :since:`Since 5.1.0`
-
-Also, similar to ``direct`` network connections (described below), a conne=
ction
-of type ``network`` may specify a ``virtualport`` element, with configurat=
ion
-data to be forwarded to a vepa (802.1Qbg) or 802.1Qbh compliant switch (
-:since:`Since 0.8.2` ), or to an Open vSwitch virtual switch ( :since:`Sin=
ce
-0.9.11` ).
-
-Since the actual type of switch may vary depending on the configuration in=
 the
-``<network>`` on the host, it is acceptable to omit the virtualport ``type=
``
-attribute, and specify attributes from multiple different virtualport type=
s (and
-also to leave out certain attributes); at domain startup time, a complete
-``<virtualport>`` element will be constructed by merging together the type=
 and
-attributes defined in the network and the portgroup referenced by the inte=
rface.
-The newly-constructed virtualport is a combination of them. The attributes=
 from
-lower virtualport can't make change on the ones defined in higher virtualp=
ort.
-Interface takes the highest priority, portgroup is lowest priority. (
-:since:`Since 0.10.0` ). For example, in order to work properly with both =
an
-802.1Qbh switch and an Open vSwitch switch, you may choose to specify no t=
ype,
-but both a ``profileid`` (in case the switch is 802.1Qbh) and an ``interfa=
ceid``
-(in case the switch is Open vSwitch) (you may also omit the other attribut=
es,
-such as managerid, typeid, or profileid, to be filled in from the network's
-``<virtualport>``). If you want to limit a guest to connecting only to cer=
tain
-types of switches, you can specify the virtualport type, but still omit so=
me/all
-of the parameters - in this case if the host's network has a different typ=
e of
-virtualport, connection of the interface will fail.
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-     </interface>
-     ...
-     <interface type=3D'network'>
-       <source network=3D'default' portgroup=3D'engineering'/>
-       <target dev=3D'vnet7'/>
-       <mac address=3D"00:11:22:33:44:55"/>
-       <virtualport>
-         <parameters instanceid=3D'09b11c53-8b5c-4eeb-8f00-d84eaa0aaa4f'/>
-       </virtualport>
-     </interface>
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsNICSBridge"/>`
-
-Bridge to LAN
-^^^^^^^^^^^^^
-
-**This is the recommended config for general guest connectivity on hosts w=
ith
-static wired networking configs.**
-
-Provides a bridge from the VM directly to the LAN. This assumes there is a
-bridge device on the host which has one or more of the hosts physical NICs
-attached. The guest VM will have an associated tun device created with a n=
ame of
-vnetN, which can also be overridden with the <target> element (see `overri=
ding
-the target element <#elementsNICSTargetOverride>`__). The tun device will =
be
-attached to the bridge. The IP range / network configuration is whatever i=
s used
-on the LAN. This provides the guest VM full incoming & outgoing net access=
 just
-like a physical machine.
-
-On Linux systems, the bridge device is normally a standard Linux host brid=
ge. On
-hosts that support Open vSwitch, it is also possible to connect to an Open
-vSwitch bridge device by adding a ``<virtualport type=3D'openvswitch'/>`` =
to the
-interface definition. ( :since:`Since 0.9.11` ). The Open vSwitch type
-virtualport accepts two parameters in its ``<parameters>`` element - an
-``interfaceid`` which is a standard uuid used to uniquely identify this
-particular interface to Open vSwitch (if you do not specify one, a random
-interfaceid will be generated for you when you first define the interface)=
, and
-an optional ``profileid`` which is sent to Open vSwitch as the interfaces
-"port-profile".
-
-::
-
-   ...
-   <devices>
-     ...
-     <interface type=3D'bridge'>
-       <source bridge=3D'br0'/>
-     </interface>
-     <interface type=3D'bridge'>
-       <source bridge=3D'br1'/>
-       <target dev=3D'vnet7'/>
-       <mac address=3D"00:11:22:33:44:55"/>
-     </interface>
-     <interface type=3D'bridge'>
-       <source bridge=3D'ovsbr'/>
-       <virtualport type=3D'openvswitch'>
-         <parameters profileid=3D'menial' interfaceid=3D'09b11c53-8b5c-4ee=
b-8f00-d84eaa0aaa4f'/>
-       </virtualport>
-     </interface>
-     ...
-   </devices>
-   ...
-
-On hosts that support Open vSwitch on the kernel side and have the Midonet=
 Host
-Agent configured, it is also possible to connect to the 'midonet' bridge d=
evice
-by adding a ``<virtualport type=3D'midonet'/>`` to the interface definitio=
n. (
-:since:`Since 1.2.13` ). The Midonet virtualport type requires an
-``interfaceid`` attribute in its ``<parameters>`` element. This interface =
id is
-the UUID that specifies which port in the virtual network topology will be=
 bound
-to the interface.
-
-::
-
-   ...
-   <devices>
-     ...
-     <interface type=3D'bridge'>
-       <source bridge=3D'br0'/>
-     </interface>
-     <interface type=3D'bridge'>
-       <source bridge=3D'br1'/>
-       <target dev=3D'vnet7'/>
-       <mac address=3D"00:11:22:33:44:55"/>
-     </interface>
-     <interface type=3D'bridge'>
-       <source bridge=3D'midonet'/>
-       <virtualport type=3D'midonet'>
-         <parameters interfaceid=3D'0b2d64da-3d0e-431e-afdd-804415d6ebbb'/>
-       </virtualport>
-     </interface>
-     ...
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsNICSSlirp"/>`
-
-Userspace SLIRP stack
-^^^^^^^^^^^^^^^^^^^^^
-
-Provides a virtual LAN with NAT to the outside world. The virtual network =
has
-DHCP & DNS services and will give the guest VM addresses starting from
-``10.0.2.15``. The default router will be ``10.0.2.2`` and the DNS server =
will
-be ``10.0.2.3``. This networking is the only option for unprivileged users=
 who
-need their VMs to have outgoing access. :since:`Since 3.8.0` it is possibl=
e to
-override the default network address by including an ``ip`` element specif=
ying
-an IPv4 address in its one mandatory attribute, ``address``. Optionally, a
-second ``ip`` element with a ``family`` attribute set to "ipv6" can be spe=
cified
-to add an IPv6 address to the interface. ``address``. Optionally, address
-``prefix`` can be specified.
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'user'/>
-     ...
-     <interface type=3D'user'>
-       <mac address=3D"00:11:22:33:44:55"/>
-       <ip family=3D'ipv4' address=3D'172.17.2.0' prefix=3D'24'/>
-       <ip family=3D'ipv6' address=3D'2001:db8:ac10:fd01::' prefix=3D'64'/>
-     </interface>
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsNICSEthernet"/>`
-
-Generic ethernet connection
-^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-Provides a means to use a new or existing tap device (or veth device pair,
-depening on the needs of the hypervisor driver) that is partially or wholly
-setup external to libvirt (either prior to the guest starting, or while the
-guest is being started via an optional script specified in the config).
-
-The name of the tap device can optionally be specified with the ``dev``
-attribute of the ``<target>`` element. If no target dev is specified, libv=
irt
-will create a new standard tap device with a name of the pattern "vnetN", =
where
-"N" is replaced with a number. If a target dev is specified and that device
-doesn't exist, then a new standard tap device will be created with the exa=
ct dev
-name given. If the specified target dev does exist, then that existing dev=
ice
-will be used. Usually some basic setup of the device is done by libvirt,
-including setting a MAC address, and the IFF_UP flag, but if the ``dev`` i=
s a
-pre-existing device, and the ``managed`` attribute of the ``target`` eleme=
nt is
-also set to "no" (the default value is "yes"), even this basic setup will =
not be
-performed - libvirt will simply pass the device on to the hypervisor with =
no
-setup at all. :since:`Since 5.7.0` Using managed=3D'no' with a pre-created=
 tap
-device is useful because it permits a virtual machine managed by an unpriv=
ileged
-libvirtd to have emulated network devices based on tap devices.
-
-After creating/opening the tap device, an optional shell script (given in =
the
-``path`` attribute of the ``<script>`` element) will be run. :since:`Since
-0.2.1` Also, after detaching/closing the tap device, an optional shell scr=
ipt
-(given in the ``path`` attribute of the ``<downscript>`` element) will be =
run.
-:since:`Since 5.1.0` These can be used to do whatever extra host network
-integration is required.
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'ethernet'>
-       <script path=3D'/etc/qemu-ifup-mynet'/>
-       <downscript path=3D'/etc/qemu-ifdown-mynet'/>
-     </interface>
-     ...
-     <interface type=3D'ethernet'>
-       <target dev=3D'mytap1' managed=3D'no'/>
-       <model type=3D'virtio'/>
-     </interface>
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsNICSDirect"/>`
-
-Direct attachment to physical interface
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-| Provides direct attachment of the virtual machine's NIC to the given phy=
sical
-  interface of the host. :since:`Since 0.7.7 (QEMU and KVM only)`
-| This setup requires the Linux macvtap driver to be available. :since:`(S=
ince
-  Linux 2.6.34.)` One of the modes 'vepa' ( `'Virtual Ethernet Port
-  Aggregator' <http://www.ieee802.org/1/files/public/docs2009/new-evb-cong=
don-vepa-modular-0709-v01.pdf>`__),
-  'bridge' or 'private' can be chosen for the operation mode of the macvtap
-  device, 'vepa' being the default mode. The individual modes cause the de=
livery
-  of packets to behave as follows:
-
-If the model type is set to ``virtio`` and interface's ``trustGuestRxFilte=
rs``
-attribute is set to ``yes``, changes made to the interface mac address,
-unicast/multicast receive filters, and vlan settings in the guest will be
-monitored and propagated to the associated macvtap device on the host (
-:since:`Since 1.2.10` ). If ``trustGuestRxFilters`` is not set, or is not
-supported for the device model in use, an attempted change to the mac addr=
ess
-originating from the guest side will result in a non-working network conne=
ction.
-
-``vepa``
-   All VMs' packets are sent to the external bridge. Packets whose destina=
tion
-   is a VM on the same host as where the packet originates from are sent b=
ack to
-   the host by the VEPA capable bridge (today's bridges are typically not =
VEPA
-   capable).
-``bridge``
-   Packets whose destination is on the same host as where they originate f=
rom
-   are directly delivered to the target macvtap device. Both origin and
-   destination devices need to be in bridge mode for direct delivery. If e=
ither
-   one of them is in ``vepa`` mode, a VEPA capable bridge is required.
-``private``
-   All packets are sent to the external bridge and will only be delivered =
to a
-   target VM on the same host if they are sent through an external router =
or
-   gateway and that device sends them back to the host. This procedure is
-   followed if either the source or destination device is in ``private`` m=
ode.
-``passthrough``
-   This feature attaches a virtual function of a SRIOV capable NIC directl=
y to a
-   VM without losing the migration capability. All packets are sent to the=
 VF/IF
-   of the configured network device. Depending on the capabilities of the =
device
-   additional prerequisites or limitations may apply; for example, on Linu=
x this
-   requires kernel 2.6.38 or newer. :since:`Since 0.9.2`
-
-::
-
-   ...
-   <devices>
-     ...
-     <interface type=3D'direct' trustGuestRxFilters=3D'no'>
-       <source dev=3D'eth0' mode=3D'vepa'/>
-     </interface>
-   </devices>
-   ...
-
-The network access of direct attached virtual machines can be managed by t=
he
-hardware switch to which the physical interface of the host machine is con=
nected
-to.
-
-The interface can have additional parameters as shown below, if the switch=
 is
-conforming to the IEEE 802.1Qbg standard. The parameters of the virtualport
-element are documented in more detail in the IEEE 802.1Qbg standard. The v=
alues
-are network specific and should be provided by the network administrator. =
In
-802.1Qbg terms, the Virtual Station Interface (VSI) represents the virtual
-interface of a virtual machine. :since:`Since 0.8.2`
-
-Please note that IEEE 802.1Qbg requires a non-zero value for the VLAN ID.
-
-``managerid``
-   The VSI Manager ID identifies the database containing the VSI type and
-   instance definitions. This is an integer value and the value 0 is reser=
ved.
-``typeid``
-   The VSI Type ID identifies a VSI type characterizing the network access=
. VSI
-   types are typically managed by network administrator. This is an integer
-   value.
-``typeidversion``
-   The VSI Type Version allows multiple versions of a VSI Type. This is an
-   integer value.
-``instanceid``
-   The VSI Instance ID Identifier is generated when a VSI instance (i.e. a
-   virtual interface of a virtual machine) is created. This is a globally =
unique
-   identifier.
-
-::
-
-   ...
-   <devices>
-     ...
-     <interface type=3D'direct'>
-       <source dev=3D'eth0.2' mode=3D'vepa'/>
-       <virtualport type=3D"802.1Qbg">
-         <parameters managerid=3D"11" typeid=3D"1193047" typeidversion=3D"=
2" instanceid=3D"09b11c53-8b5c-4eeb-8f00-d84eaa0aaa4f"/>
-       </virtualport>
-     </interface>
-   </devices>
-   ...
-
-The interface can have additional parameters as shown below if the switch =
is
-conforming to the IEEE 802.1Qbh standard. The values are network specific =
and
-should be provided by the network administrator. :since:`Since 0.8.2`
-
-``profileid``
-   The profile ID contains the name of the port profile that is to be appl=
ied to
-   this interface. This name is resolved by the port profile database into=
 the
-   network parameters from the port profile, and those network parameters =
will
-   be applied to this interface.
-
-::
-
-   ...
-   <devices>
-     ...
-     <interface type=3D'direct'>
-       <source dev=3D'eth0' mode=3D'private'/>
-       <virtualport type=3D'802.1Qbh'>
-         <parameters profileid=3D'finance'/>
-       </virtualport>
-     </interface>
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsNICSHostdev"/>`
-
-PCI Passthrough
-^^^^^^^^^^^^^^^
-
-A PCI network device (specified by the <source> element) is directly assig=
ned to
-the guest using generic device passthrough, after first optionally setting=
 the
-device's MAC address to the configured value, and associating the device w=
ith an
-802.1Qbh capable switch using an optionally specified <virtualport> elemen=
t (see
-the examples of virtualport given above for type=3D'direct' network device=
s). Note
-that - due to limitations in standard single-port PCI ethernet card driver
-design - only SR-IOV (Single Root I/O Virtualization) virtual function (VF)
-devices can be assigned in this manner; to assign a standard single-port P=
CI or
-PCIe ethernet card to a guest, use the traditional <hostdev> device defini=
tion
-and :since:`Since 0.9.11`
-
-To use VFIO device assignment rather than traditional/legacy KVM device
-assignment (VFIO is a new method of device assignment that is compatible w=
ith
-UEFI Secure Boot), a type=3D'hostdev' interface can have an optional ``dri=
ver``
-sub-element with a ``name`` attribute set to "vfio". To use legacy KVM dev=
ice
-assignment you can set ``name`` to "kvm" (or simply omit the ``<driver>``
-element, since "kvm" is currently the default). :since:`Since 1.0.5 (QEMU =
and
-KVM only, requires kernel 3.6 or newer)`
-
-Note that this "intelligent passthrough" of network devices is very simila=
r to
-the functionality of a standard <hostdev> device, the difference being tha=
t this
-method allows specifying a MAC address and <virtualport> for the passed-th=
rough
-device. If these capabilities are not required, if you have a standard
-single-port PCI, PCIe, or USB network card that doesn't support SR-IOV (and
-hence would anyway lose the configured MAC address during reset after being
-assigned to the guest domain), or if you are using a version of libvirt ol=
der
-than 0.9.11, you should use standard <hostdev> to assign the device to the=
 guest
-instead of <interface type=3D'hostdev'/>.
-
-Similar to the functionality of a standard <hostdev> device, when ``manage=
d`` is
-"yes", it is detached from the host before being passed on to the guest, a=
nd
-reattached to the host after the guest exits. If ``managed`` is omitted or=
 "no",
-the user is responsible to call ``virNodeDeviceDettach`` (or
-``virsh nodedev-detach``) before starting the guest or hot-plugging the de=
vice,
-and ``virNodeDeviceReAttach`` (or ``virsh nodedev-reattach``) after hot-un=
plug
-or stopping the guest.
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'hostdev' managed=3D'yes'>
-       <driver name=3D'vfio'/>
-       <source>
-         <address type=3D'pci' domain=3D'0x0000' bus=3D'0x00' slot=3D'0x07=
' function=3D'0x0'/>
-       </source>
-       <mac address=3D'52:54:00:6d:90:02'/>
-       <virtualport type=3D'802.1Qbh'>
-         <parameters profileid=3D'finance'/>
-       </virtualport>
-     </interface>
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsTeaming"/>`
-
-Teaming a virtio/hostdev NIC pair
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-:since:`Since 6.1.0 (QEMU and KVM only, requires QEMU 4.2.0 or newer and a=
 guest
-virtio-net driver supporting the "failover" feature, such as the one inclu=
ded in
-Linux kernel 4.18 and newer) ` The ``<teaming>`` element of two interfaces=
 can
-be used to connect them as a team/bond device in the guest (assuming proper
-support in the hypervisor and the guest network driver).
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'mybridge'/>
-       <mac address=3D'00:11:22:33:44:55'/>
-       <model type=3D'virtio'/>
-       <teaming type=3D'persistent'/>
-       <alias name=3D'ua-backup0'/>
-     </interface>
-     <interface type=3D'network'>
-       <source network=3D'hostdev-pool'/>
-       <mac address=3D'00:11:22:33:44:55'/>
-       <model type=3D'virtio'/>
-       <teaming type=3D'transient' persistent=3D'ua-backup0'/>
-     </interface>
-   </devices>
-   ...
-
-The ``<teaming>`` element required attribute ``type`` will be set to either
-``"persistent"`` to indicate a device that should always be present in the
-domain, or ``"transient"`` to indicate a device that may periodically be
-removed, then later re-added to the domain. When type=3D"transient", there=
 should
-be a second attribute to ``<teaming>`` called ``"persistent"`` - this attr=
ibute
-should be set to the alias name of the other device in the pair (the one t=
hat
-has ``<teaming       type=3D"persistent'/>``).
-
-In the particular case of QEMU, libvirt's ``<teaming>`` element is used to=
 setup
-a virtio-net "failover" device pair. For this setup, the persistent device=
 must
-be an interface with ``<model       type=3D"virtio"/>``, and the transient=
 device
-must be ``<interface type=3D'hostdev'/>`` (or ``<interface type=3D'network=
'/>``
-where the referenced network defines a pool of SRIOV VFs). The guest will =
then
-have a simple network team/bond device made of the virtio NIC + hostdev NIC
-pair. In this configuration, the higher-performing hostdev NIC will normal=
ly be
-preferred for all network traffic, but when the domain is migrated, QEMU w=
ill
-automatically unplug the VF from the guest, and then hotplug a similar dev=
ice
-once migration is completed; while migration is taking place, network traf=
fic
-will use the virtio NIC. (Of course the emulated virtio NIC and the hostde=
v NIC
-must be connected to the same subnet for bonding to work properly).
-
-NB1: Since you must know the alias name of the virtio NIC when configuring=
 the
-hostdev NIC, it will need to be manually set in the virtio NIC's configura=
tion
-(as with all other manually set alias names, this means it must start with
-"ua-").
-
-NB2: Currently the only implementation of the guest OS virtio-net driver
-supporting virtio-net failover requires that the MAC addresses of the virt=
io and
-hostdev NIC must match. Since that may not always be a requirement in the
-future, libvirt doesn't enforce this limitation - it is up to the
-person/management application that is creating the configuration to assure=
 the
-MAC addresses of the two devices match.
-
-NB3: Since the PCI addresses of the SRIOV VFs on the hosts that are the so=
urce
-and destination of the migration will almost certainly be different, either
-higher level management software will need to modify the ``<source>`` of t=
he
-hostdev NIC (``<interface type=3D'hostdev'>``) at the start of migration, =
or (a
-simpler solution) the configuration will need to use a libvirt "hostdev" v=
irtual
-network that maintains a pool of such devices, as is implied in the exampl=
e's
-use of the libvirt network named "hostdev-pool" - as long as the hostdev n=
etwork
-pools on both hosts have the same name, libvirt itself will take care of
-allocating an appropriate device on both ends of the migration. Similarly =
the
-XML for the virtio interface must also either work correctly unmodified on=
 both
-the source and destination of the migration (e.g. by connecting to the same
-bridge device on both hosts, or by using the same virtual network), or the
-management software must properly modify the interface XML during migratio=
n so
-that the virtio device remains connected to the same network segment befor=
e and
-after migration.
-
-:anchor:`<a id=3D"elementsNICSMulticast"/>`
-
-Multicast tunnel
-^^^^^^^^^^^^^^^^
-
-A multicast group is setup to represent a virtual network. Any VMs whose n=
etwork
-devices are in the same multicast group can talk to each other even across
-hosts. This mode is also available to unprivileged users. There is no defa=
ult
-DNS or DHCP support and no outgoing network access. To provide outgoing ne=
twork
-access, one of the VMs should have a 2nd NIC which is connected to one of =
the
-first 4 network types and do the appropriate routing. The multicast protoc=
ol is
-compatible with that used by user mode linux guests too. The source addres=
s used
-must be from the multicast address block.
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'mcast'>
-       <mac address=3D'52:54:00:6d:90:01'/>
-       <source address=3D'230.0.0.1' port=3D'5558'/>
-     </interface>
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsNICSTCP"/>`
-
-TCP tunnel
-^^^^^^^^^^
-
-A TCP client/server architecture provides a virtual network. One VM provid=
es the
-server end of the network, all other VMS are configured as clients. All ne=
twork
-traffic is routed between the VMs via the server. This mode is also availa=
ble to
-unprivileged users. There is no default DNS or DHCP support and no outgoing
-network access. To provide outgoing network access, one of the VMs should =
have a
-2nd NIC which is connected to one of the first 4 network types and do the
-appropriate routing.
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'server'>
-       <mac address=3D'52:54:00:22:c9:42'/>
-       <source address=3D'192.168.0.1' port=3D'5558'/>
-     </interface>
-     ...
-     <interface type=3D'client'>
-       <mac address=3D'52:54:00:8b:c9:51'/>
-       <source address=3D'192.168.0.1' port=3D'5558'/>
-     </interface>
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsNICSUDP"/>`
-
-UDP unicast tunnel
-^^^^^^^^^^^^^^^^^^
-
-A UDP unicast architecture provides a virtual network which enables connec=
tions
-between QEMU instances using QEMU's UDP infrastructure. The xml "source" a=
ddress
-is the endpoint address to which the UDP socket packets will be sent from =
the
-host running QEMU. The xml "local" address is the address of the interface=
 from
-which the UDP socket packets will originate from the QEMU host. :since:`Si=
nce
-1.2.20`
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'udp'>
-       <mac address=3D'52:54:00:22:c9:42'/>
-       <source address=3D'127.0.0.1' port=3D'11115'>
-         <local address=3D'127.0.0.1' port=3D'11116'/>
-       </source>
-     </interface>
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsNICSModel"/>`
-
-Setting the NIC model
-^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet1'/>
-       <model type=3D'ne2k_pci'/>
-     </interface>
-   </devices>
-   ...
-
-For hypervisors which support this, you can set the model of emulated netw=
ork
-interface card.
-
-The values for ``type`` aren't defined specifically by libvirt, but by wha=
t the
-underlying hypervisor supports (if any). For QEMU and KVM you can get a li=
st of
-supported models with these commands:
-
-::
-
-   qemu -net nic,model=3D? /dev/null
-   qemu-kvm -net nic,model=3D? /dev/null
-
-Typical values for QEMU and KVM include: ne2k_isa i82551 i82557b i82559er
-ne2k_pci pcnet rtl8139 e1000 virtio. :since:`Since 5.2.0` ,
-``virtio-transitional`` and ``virtio-non-transitional`` values are support=
ed.
-See `Virtio transitional devices <#elementsVirtioTransitional>`__ for more
-details.
-
-:anchor:`<a id=3D"elementsDriverBackendOptions"/>`
-
-Setting NIC driver-specific options
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet1'/>
-       <model type=3D'virtio'/>
-       <driver name=3D'vhost' txmode=3D'iothread' ioeventfd=3D'on' event_i=
dx=3D'off' queues=3D'5' rx_queue_size=3D'256' tx_queue_size=3D'256'>
-         <host csum=3D'off' gso=3D'off' tso4=3D'off' tso6=3D'off' ecn=3D'o=
ff' ufo=3D'off' mrg_rxbuf=3D'off'/>
-         <guest csum=3D'off' tso4=3D'off' tso6=3D'off' ecn=3D'off' ufo=3D'=
off'/>
-       </driver>
-       </interface>
-   </devices>
-   ...
-
-Some NICs may have tunable driver-specific options. These are set as attri=
butes
-of the ``driver`` sub-element of the interface definition. Currently the
-following attributes are available for the ``"virtio"`` NIC driver:
-
-``name``
-   The optional ``name`` attribute forces which type of backend driver to =
use.
-   The value can be either 'qemu' (a user-space backend) or 'vhost' (a ker=
nel
-   backend, which requires the vhost module to be provided by the kernel);=
 an
-   attempt to require the vhost driver without kernel support will be reje=
cted.
-   If this attribute is not present, then the domain defaults to 'vhost' if
-   present, but silently falls back to 'qemu' without error. :since:`Since=
 0.8.8
-   (QEMU and KVM only)`
-   For interfaces of type=3D'hostdev' (PCI passthrough devices) the ``name=
``
-   attribute can optionally be set to "vfio" or "kvm". "vfio" tells libvir=
t to
-   use VFIO device assignment rather than traditional KVM device assignment
-   (VFIO is a new method of device assignment that is compatible with UEFI
-   Secure Boot), and "kvm" tells libvirt to use the legacy device assignme=
nt
-   performed directly by the kvm kernel module (the default is currently "=
kvm",
-   but is subject to change). :since:`Since 1.0.5 (QEMU and KVM only, requ=
ires
-   kernel 3.6 or newer)`
-   For interfaces of type=3D'vhostuser', the ``name`` attribute is ignored=
. The
-   backend driver used is always vhost-user.
-``txmode``
-   The ``txmode`` attribute specifies how to handle transmission of packet=
s when
-   the transmit buffer is full. The value can be either 'iothread' or 'tim=
er'.
-   :since:`Since 0.8.8 (QEMU and KVM only)`
-   If set to 'iothread', packet tx is all done in an iothread in the botto=
m half
-   of the driver (this option translates into adding "tx=3Dbh" to the qemu
-   commandline -device virtio-net-pci option).
-   If set to 'timer', tx work is done in qemu, and if there is more tx dat=
a than
-   can be sent at the present time, a timer is set before qemu moves on to=
 do
-   other things; when the timer fires, another attempt is made to send more
-   data.
-   The resulting difference, according to the qemu developer who added the
-   option is: "bh makes tx more asynchronous and reduces latency, but
-   potentially causes more processor bandwidth contention since the CPU do=
ing
-   the tx isn't necessarily the CPU where the guest generated the packets."
-   **In general you should leave this option alone, unless you are very ce=
rtain
-   you know what you are doing.**
-``ioeventfd``
-   This optional attribute allows users to set `domain I/O asynchronous
-   handling <https://patchwork.kernel.org/patch/43390/>`__ for interface d=
evice.
-   The default is left to the discretion of the hypervisor. Accepted value=
s are
-   "on" and "off". Enabling this allows qemu to execute VM while a separate
-   thread handles I/O. Typically guests experiencing high system CPU utili=
zation
-   during I/O will benefit from this. On the other hand, on overloaded hos=
t it
-   could increase guest I/O latency. :since:`Since 0.9.3 (QEMU and KVM onl=
y)`
-   **In general you should leave this option alone, unless you are very ce=
rtain
-   you know what you are doing.**
-``event_idx``
-   The ``event_idx`` attribute controls some aspects of device event proce=
ssing.
-   The value can be either 'on' or 'off' - if it is on, it will reduce the
-   number of interrupts and exits for the guest. The default is determined=
 by
-   QEMU; usually if the feature is supported, default is on. In case there=
 is a
-   situation where this behavior is suboptimal, this attribute provides a =
way to
-   force the feature off. :since:`Since 0.9.5 (QEMU and KVM only)`
-   **In general you should leave this option alone, unless you are very ce=
rtain
-   you know what you are doing.**
-``queues``
-   The optional ``queues`` attribute controls the number of queues to be u=
sed
-   for either `Multiqueue
-   virtio-net <https://www.linux-kvm.org/page/Multiqueue>`__ or
-   `vhost-user <#elementVhostuser>`__ network interfaces. Use of multiple =
packet
-   processing queues requires the interface having the
-   ``<model type=3D'virtio'/>`` element. Each queue will potentially be ha=
ndled by
-   a different processor, resulting in much higher throughput.
-   :since:`virtio-net since 1.0.6 (QEMU and KVM only)` :since:`vhost-user =
since
-   1.2.17 (QEMU and KVM only)`
-``rx_queue_size``
-   The optional ``rx_queue_size`` attribute controls the size of virtio ri=
ng for
-   each queue as described above. The default value is hypervisor dependen=
t and
-   may change across its releases. Moreover, some hypervisors may pose some
-   restrictions on actual value. For instance, latest QEMU (as of 2016-09-=
01)
-   requires value to be a power of two from [256, 1024] range. :since:`Sin=
ce
-   2.3.0 (QEMU and KVM only)`
-   **In general you should leave this option alone, unless you are very ce=
rtain
-   you know what you are doing.**
-``tx_queue_size``
-   The optional ``tx_queue_size`` attribute controls the size of virtio ri=
ng for
-   each queue as described above. The default value is hypervisor dependen=
t and
-   may change across its releases. Moreover, some hypervisors may pose some
-   restrictions on actual value. For instance, QEMU v2.9 requires value to=
 be a
-   power of two from [256, 1024] range. In addition to that, this may work=
 only
-   for a subset of interface types, e.g. aforementioned QEMU enables this =
option
-   only for ``vhostuser`` type. :since:`Since 3.7.0 (QEMU and KVM only)`
-   **In general you should leave this option alone, unless you are very ce=
rtain
-   you know what you are doing.**
-virtio options
-   For virtio interfaces, `Virtio-specific options <#elementsVirtio>`__ ca=
n also
-   be set. ( :since:`Since 3.5.0` )
-
-Offloading options for the host and guest can be configured using the foll=
owing
-sub-elements:
-
-``host``
-   The ``csum``, ``gso``, ``tso4``, ``tso6``, ``ecn`` and ``ufo`` attribut=
es
-   with possible values ``on`` and ``off`` can be used to turn off host
-   offloading options. By default, the supported offloads are enabled by Q=
EMU.
-   :since:`Since 1.2.9 (QEMU only)` The ``mrg_rxbuf`` attribute can be use=
d to
-   control mergeable rx buffers on the host side. Possible values are ``on=
``
-   (default) and ``off``. :since:`Since 1.2.13 (QEMU only)`
-``guest``
-   The ``csum``, ``tso4``, ``tso6``, ``ecn`` and ``ufo`` attributes with
-   possible values ``on`` and ``off`` can be used to turn off guest offloa=
ding
-   options. By default, the supported offloads are enabled by QEMU.
-   :since:`Since 1.2.9 (QEMU only)`
-
-:anchor:`<a id=3D"elementsBackendOptions"/>`
-
-Setting network backend-specific options
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet1'/>
-       <model type=3D'virtio'/>
-       <backend tap=3D'/dev/net/tun' vhost=3D'/dev/vhost-net'/>
-       <driver name=3D'vhost' txmode=3D'iothread' ioeventfd=3D'on' event_i=
dx=3D'off' queues=3D'5'/>
-       <tune>
-         <sndbuf>1600</sndbuf>
-       </tune>
-     </interface>
-   </devices>
-   ...
-
-For tuning the backend of the network, the ``backend`` element can be used=
. The
-``vhost`` attribute can override the default vhost device path
-(``/dev/vhost-net``) for devices with ``virtio`` model. The ``tap`` attrib=
ute
-overrides the tun/tap device path (default: ``/dev/net/tun``) for network =
and
-bridge interfaces. This does not work in session mode. :since:`Since 1.2.9`
-
-For tap devices there is also ``sndbuf`` element which can adjust the size=
 of
-send buffer in the host. :since:`Since 0.8.8`
-
-:anchor:`<a id=3D"elementsNICSTargetOverride"/>`
-
-Overriding the target element
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet1'/>
-     </interface>
-   </devices>
-   ...
-
-If no target is specified, certain hypervisors will automatically generate=
 a
-name for the created tun device. This name can be manually specified, howe=
ver
-the name *should not start with either 'vnet', 'vif', 'macvtap', or 'macvl=
an'*,
-which are prefixes reserved by libvirt and certain hypervisors. Manually
-specified targets using these prefixes may be ignored.
-
-Note that for LXC containers, this defines the name of the interface on th=
e host
-side. :since:`Since 1.2.7` , to define the name of the device on the guest=
 side,
-the ``guest`` element should be used, as in the following snippet:
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <guest dev=3D'myeth'/>
-     </interface>
-   </devices>
-   ...
-
-:anchor:`<a id=3D"elementsNICSBoot"/>`
-
-Specifying boot order
-^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet1'/>
-       <boot order=3D'1'/>
-     </interface>
-   </devices>
-   ...
-
-For hypervisors which support this, you can set a specific NIC to be used =
for
-network boot. The ``order`` attribute determines the order in which device=
s will
-be tried during boot sequence. The per-device ``boot`` elements cannot be =
used
-together with general boot elements in `BIOS bootloader <#elementsOSBIOS>`=
__
-section. :since:`Since 0.8.8`
-
-:anchor:`<a id=3D"elementsNICSROM"/>`
-
-Interface ROM BIOS configuration
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet1'/>
-       <rom bar=3D'on' file=3D'/etc/fake/boot.bin'/>
-     </interface>
-   </devices>
-   ...
-
-For hypervisors which support this, you can change how a PCI Network devic=
e's
-ROM is presented to the guest. The ``bar`` attribute can be set to "on" or
-"off", and determines whether or not the device's ROM will be visible in t=
he
-guest's memory map. (In PCI documentation, the "rombar" setting controls t=
he
-presence of the Base Address Register for the ROM). If no rom bar is speci=
fied,
-the qemu default will be used (older versions of qemu used a default of "o=
ff",
-while newer qemus have a default of "on"). The optional ``file`` attribute=
 is
-used to point to a binary file to be presented to the guest as the device'=
s ROM
-BIOS. This can be useful to provide an alternative boot ROM for a network
-device. :since:`Since 0.9.10 (QEMU and KVM only)` .
-
-:anchor:`<a id=3D"elementDomain"/>`
-
-Setting up a network backend in a driver domain
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     ...
-     <interface type=3D'bridge'>
-       <source bridge=3D'br0'/>
-       <backenddomain name=3D'netvm'/>
-     </interface>
-     ...
-   </devices>
-   ...
-
-The optional ``backenddomain`` element allows specifying a backend domain =
(aka
-driver domain) for the interface. Use the ``name`` attribute to specify the
-backend domain name. You can use it to create a direct network link between
-domains (so data will not go through host system). Use with type 'ethernet=
' to
-create plain network link, or with type 'bridge' to connect to a bridge in=
side
-the backend domain. :since:`Since 1.2.13 (Xen only)`
-
-:anchor:`<a id=3D"elementQoS"/>`
-
-Quality of service
-^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet0'/>
-       <bandwidth>
-         <inbound average=3D'1000' peak=3D'5000' floor=3D'200' burst=3D'10=
24'/>
-         <outbound average=3D'128' peak=3D'256' burst=3D'256'/>
-       </bandwidth>
-     </interface>
-   </devices>
-   ...
-
-This part of interface XML provides setting quality of service. Incoming a=
nd
-outgoing traffic can be shaped independently. The ``bandwidth`` element an=
d its
-child elements are described in the `QoS <formatnetwork.html#elementQoS>`__
-section of the Network XML.
-
-:anchor:`<a id=3D"elementVlanTag"/>`
-
-Setting VLAN tag (on supported network types only)
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'bridge'>
-       <vlan>
-         <tag id=3D'42'/>
-       </vlan>
-       <source bridge=3D'ovsbr0'/>
-       <virtualport type=3D'openvswitch'>
-         <parameters interfaceid=3D'09b11c53-8b5c-4eeb-8f00-d84eaa0aaa4f'/>
-       </virtualport>
-     </interface>
-     <interface type=3D'bridge'>
-       <vlan trunk=3D'yes'>
-         <tag id=3D'42'/>
-         <tag id=3D'123' nativeMode=3D'untagged'/>
-       </vlan>
-       ...
-     </interface>
-   </devices>
-   ...
-
-If (and only if) the network connection used by the guest supports VLAN ta=
gging
-transparent to the guest, an optional ``<vlan>`` element can specify one o=
r more
-VLAN tags to apply to the guest's network traffic :since:`Since 0.10.0` .
-Network connections that support guest-transparent VLAN tagging include 1)
-type=3D'bridge' interfaces connected to an Open vSwitch bridge :since:`Sin=
ce
-0.10.0` , 2) SRIOV Virtual Functions (VF) used via type=3D'hostdev' (direc=
t device
-assignment) :since:`Since 0.10.0` , and 3) SRIOV VFs used via type=3D'dire=
ct' with
-mode=3D'passthrough' (macvtap "passthru" mode) :since:`Since 1.3.5` . All =
other
-connection types, including standard linux bridges and libvirt's own virtu=
al
-networks, **do not** support it. 802.1Qbh (vn-link) and 802.1Qbg (VEPA) sw=
itches
-provide their own way (outside of libvirt) to tag guest traffic onto a spe=
cific
-VLAN. Each tag is given in a separate ``<tag>`` subelement of ``<vlan>`` (=
for
-example: ``<tag       id=3D'42'/>``). For VLAN trunking of multiple tags (=
which is
-supported only on Open vSwitch connections), multiple ``<tag>`` subelement=
s can
-be specified, which implies that the user wants to do VLAN trunking on the
-interface for all the specified tags. In the case that VLAN trunking of a =
single
-tag is desired, the optional attribute ``trunk=3D'yes'`` can be added to t=
he
-toplevel ``<vlan>`` element to differentiate trunking of a single tag from
-normal tagging.
-
-For network connections using Open vSwitch it is also possible to configure
-'native-tagged' and 'native-untagged' VLAN modes :since:`Since 1.1.0.` Thi=
s is
-done with the optional ``nativeMode`` attribute on the ``<tag>`` subelemen=
t:
-``nativeMode`` may be set to 'tagged' or 'untagged'. The ``id`` attribute =
of the
-``<tag>`` subelement containing ``nativeMode`` sets which VLAN is consider=
ed to
-be the "native" VLAN for this interface, and the ``nativeMode`` attribute
-determines whether or not traffic for that VLAN will be tagged.
-
-:anchor:`<a id=3D"elementPort"/>`
-
-Isolating guests's network traffic from each other
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <port isolated=3D'yes'/>
-     </interface>
-   </devices>
-   ...
-
-:since:`Since 6.1.0.` The ``port`` element property ``isolated``, when set=
 to
-``yes`` (default setting is ``no``) is used to isolate this interface's ne=
twork
-traffic from that of other guest interfaces connected to the same network =
that
-also have ``<port isolated=3D'yes'/>``. This setting is only supported for
-emulated interface devices that use a standard tap device to connect to the
-network via a Linux host bridge. This property can be inherited from a lib=
virt
-network, so if all guests that will be connected to the network should be
-isolated, it is better to put the setting in the network configuration. (N=
B:
-this only prevents guests that have ``isolated=3D'yes'`` from communicatin=
g with
-each other; if there is a guest on the same bridge that doesn't have
-``isolated=3D'yes'``, even the isolated guests will be able to communicate=
 with
-it.)
-
-:anchor:`<a id=3D"elementLink"/>`
-
-Modifying virtual link state
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet0'/>
-       <link state=3D'down'/>
-     </interface>
-   </devices>
-   ...
-
-This element provides means of setting state of the virtual network link.
-Possible values for attribute ``state`` are ``up`` and ``down``. If ``down=
`` is
-specified as the value, the interface behaves as if it had the network cab=
le
-disconnected. Default behavior if this element is unspecified is to have t=
he
-link state ``up``. :since:`Since 0.9.5`
-
-:anchor:`<a id=3D"mtu"/>`
-
-MTU configuration
-^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet0'/>
-       <mtu size=3D'1500'/>
-     </interface>
-   </devices>
-   ...
-
-This element provides means of setting MTU of the virtual network link.
-Currently there is just one attribute ``size`` which accepts a non-negative
-integer which specifies the MTU size for the interface. :since:`Since 3.1.=
0`
-
-:anchor:`<a id=3D"coalesce"/>`
-
-Coalesce settings
-^^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet0'/>
-       <coalesce>
-         <rx>
-           <frames max=3D'7'/>
-         </rx>
-       </coalesce>
-     </interface>
-   </devices>
-   ...
-
-This element provides means of setting coalesce settings for some interface
-devices (currently only type ``network`` and ``bridge``. Currently there i=
s just
-one attribute, ``max``, to tweak, in element ``frames`` for the ``rx`` gro=
up,
-which accepts a non-negative integer that specifies the maximum number of
-packets that will be received before an interrupt. :since:`Since 3.3.0`
-
-:anchor:`<a id=3D"ipconfig"/>`
-
-IP configuration
-^^^^^^^^^^^^^^^^
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'network'>
-       <source network=3D'default'/>
-       <target dev=3D'vnet0'/>
-       <ip address=3D'192.168.122.5' prefix=3D'24'/>
-       <ip address=3D'192.168.122.5' prefix=3D'24' peer=3D'10.0.0.10'/>
-       <route family=3D'ipv4' address=3D'192.168.122.0' prefix=3D'24' gate=
way=3D'192.168.122.1'/>
-       <route family=3D'ipv4' address=3D'192.168.122.8' gateway=3D'192.168=
.122.1'/>
-     </interface>
-     ...
-     <hostdev mode=3D'capabilities' type=3D'net'>
-       <source>
-         <interface>eth0</interface>
-       </source>
-       <ip address=3D'192.168.122.6' prefix=3D'24'/>
-       <route family=3D'ipv4' address=3D'192.168.122.0' prefix=3D'24' gate=
way=3D'192.168.122.1'/>
-       <route family=3D'ipv4' address=3D'192.168.122.8' gateway=3D'192.168=
.122.1'/>
-     </hostdev>
-     ...
-   </devices>
-   ...
-
-:since:`Since 1.2.12` network devices and hostdev devices with network
-capabilities can optionally be provided one or more IP addresses to set on=
 the
-network device in the guest. Note that some hypervisors or network device =
types
-will simply ignore them or only use the first one. The ``family`` attribut=
e can
-be set to either ``ipv4`` or ``ipv6``, and the ``address`` attribute conta=
ins
-the IP address. The optional ``prefix`` is the number of 1 bits in the net=
mask,
-and will be automatically set if not specified - for IPv4 the default pref=
ix is
-determined according to the network "class" (A, B, or C - see RFC870), and=
 for
-IPv6 the default prefix is 64. The optional ``peer`` attribute holds the IP
-address of the other end of a point-to-point network device :since:`(since
-2.1.0)` .
-
-:since:`Since 1.2.12` route elements can also be added to define IP routes=
 to
-add in the guest. The attributes of this element are described in the
-documentation for the ``route`` element in `network
-definitions <formatnetwork.html#elementsStaticroute>`__. This is used by t=
he LXC
-driver.
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'ethernet'>
-       <source/>
-         <ip address=3D'192.168.123.1' prefix=3D'24'/>
-         <ip address=3D'10.0.0.10' prefix=3D'24' peer=3D'192.168.122.5'/>
-         <route family=3D'ipv4' address=3D'192.168.42.0' prefix=3D'24' gat=
eway=3D'192.168.123.4'/>
-       <source/>
-       ...
-     </interface>
-     ...
-   </devices>
-   ...
-
-:since:`Since 2.1.0` network devices of type "ethernet" can optionally be
-provided one or more IP addresses and one or more routes to set on the **h=
ost**
-side of the network device. These are configured as subelements of the
-``<source>`` element of the interface, and have the same attributes as the
-similarly named elements used to configure the guest side of the interface
-(described above).
-
-:anchor:`<a id=3D"elementVhostuser"/>`
-
-vhost-user interface
-^^^^^^^^^^^^^^^^^^^^
-
-:since:`Since 1.2.7` the vhost-user enables the communication between a QE=
MU
-virtual machine and other userspace process using the Virtio transport pro=
tocol.
-A char dev (e.g. Unix socket) is used for the control plane, while the data
-plane is based on shared memory.
-
-::
-
-   ...
-   <devices>
-     <interface type=3D'vhostuser'>
-       <mac address=3D'52:54:00:3b:83:1a'/>
-       <source type=3D'unix' path=3D'/tmp/vhost1.sock' mode=3D'server'/>
-       <model type=3D'virtio'/>
-     </interface>
-     <interface type=3D'vhostuser'>
-       <mac address=3D'52:54:00:3b:83:1b'/>
-       <source type=3D'unix' path=3D'/tmp/vhost2.sock' mode=3D'client'>
-         <reconnect enabled=3D'yes' timeout=3D'10'/>
-       </source>
-       <model type=3D'virtio'/>
-       <driver queues=3D'5'/>
-     </interface>
-   </devices>
-   ...
-
-The ``<source>`` element has to be specified along with the type of char d=
evice.
-Currently, only type=3D'unix' is supported, where the path (the directory =
path of
-the socket) and mode attributes are required. Both ``mode=3D'server'`` and
-``mode=3D'client'`` are supported. vhost-user requires the virtio model ty=
pe, thus
-the ``<model>`` element is mandatory. :since:`Since 4.1.0` the element has=
 an
-optional child element ``reconnect`` which configures reconnect timeout if=
 the
-connection is lost. It has two attributes ``enabled`` (which accepts ``yes=
`` and
-``no``) and ``timeout`` which specifies the amount of seconds after which
-hypervisor tries to reconnect.
-
-:anchor:`<a id=3D"elementNwfilter"/>`
-
-Traffic filtering with NWFilter
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-:since:`Since 0.8.0` an ``nwfilter`` profile can be assigned to a domain
-interface, which allows configuring traffic filter rules for the virtual
-machine. See the `nwfilter <formatnwfilter.html>`__ documentation for more
-complete details.
-
-::
-
-   ...
-   <devices>
-     <interface ...>
-       ...
-       <filterref filter=3D'clean-traffic'/>
-     </interface>
-     <interface ...>
-       ...
-       <filterref filter=3D'myfilter'>
-         <parameter name=3D'IP' value=3D'104.207.129.11'/>
-         <parameter name=3D'IP6_ADDR' value=3D'2001:19f0:300:2102::'/>
-         <parameter name=3D'IP6_MASK' value=3D'64'/>
-         ...
-       </filterref>
-     </interface>
-   </devices>
-   ...
-
-The ``filter`` attribute specifies the name of the nwfilter to use. Option=
al
-``<parameter>`` elements may be specified for passing additional info to t=
he
-nwfilter via the ``name`` and ``value`` attributes. See the
-`nwfilter <formatnwfilter.html#nwfconceptsvars>`__ docs for info on parame=
ters.
+.. include:: formatdomain-devices-interface.rst

 :anchor:`<a id=3D"elementsInput"/>`

diff --git a/docs/meson.build b/docs/meson.build
index c5600ba4d1..9846b3e7df 100644
--- a/docs/meson.build
+++ b/docs/meson.build
@@ -133,6 +133,7 @@ docs_rst_files =3D [
                   'formatdomain-devices-hostdev.rst',
                   'formatdomain-devices-redirdev.rst',
                   'formatdomain-devices-smartcard.rst',
+                  'formatdomain-devices-interface.rst',
                 ]
   },
   { 'name': 'hacking' },
--=20
2.26.2