Are there "incus create network" options to define specific nftables rules on creating a bridge network?

I noticed that when setting up a network, if I turn on/off DHCP as in:

incus network create  incusbr2 --type=bridge ipv4.address=XXXX/24 \
ipv4.dhcp=true ipv6.address=none  ipv4.nat=true \
ipv4.nat.address=XXX.1 ipv4.firewall=true


incus network create  incusbr2 --type=bridge ipv4.address=XXXX/24 \
ipv4.dhcp=false ipv6.address=none  ipv4.nat=true \
ipv4.nat.address=XXX.1 ipv4.firewall=true

(note difference in ipv4.dhcp=true/false )

It turns on/off icmp/DHCP nftables rules, E.g. when one runs

#nft list ruleset

then these lines (and the one for oifname) either appear or not

iifname "incusbr2" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
iifname "incusbr2" udp dport 67 accept

is if ipv4.dhcp=true and absent if ipv4.dhcp=false

I’ll be experimenting with using a PFsense/OPNsense firewall across incus networks and using it for DHCP/NAT (migrating from an existing setup using qemu/kvm) and wondering if:

  • there is a way in creating a network using incus commands that allow one to specify specific nftable rules without also adding a DHCP server? Or is the preferred method to add them via the nftables commands?

  • do I even need to worry about this since the default policy is “accept?”


Direct nftables would be recommended. Incus only ever touches the rules that have its comment on it, so it plays well with other firewall rules.

We don’t have a way to directly specify additional rules, mostly because Incus renders the rules in various formats depending on the environment (iptables, nftables, OVN).

Probably not. We generate those rules primarily to handle other firewalls already in place on the system (firewalld, ufw, …) which may have changed the default policy to DROP or REJECT.