I noticed that when setting up a network, if I turn on/off DHCP as in:
incus network create incusbr2 --type=bridge ipv4.address=XXXX/24 \
ipv4.dhcp=true ipv6.address=none ipv4.nat=true \
ipv4.nat.address=XXX.1 ipv4.firewall=true
vs
incus network create incusbr2 --type=bridge ipv4.address=XXXX/24 \
ipv4.dhcp=false ipv6.address=none ipv4.nat=true \
ipv4.nat.address=XXX.1 ipv4.firewall=true
(note difference in ipv4.dhcp=true/false )
It turns on/off icmp/DHCP nftables rules, E.g. when one runs
#nft list ruleset
then these lines (and the one for oifname) either appear or not
iifname "incusbr2" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
iifname "incusbr2" udp dport 67 accept
is if ipv4.dhcp=true
and absent if ipv4.dhcp=false
I’ll be experimenting with using a PFsense/OPNsense firewall across incus networks and using it for DHCP/NAT (migrating from an existing setup using qemu/kvm) and wondering if:
-
there is a way in creating a network using incus commands that allow one to specify specific nftable rules without also adding a DHCP server? Or is the preferred method to add them via the nftables commands?
-
do I even need to worry about this since the default policy is “accept?”
Thanks!