I am having a similar issue to others’ where the default Incus network of incusbr0
created with the incus admin init
isn’t giving containers IPv4 addresses.
The incusbr0
has an IPv4 address, but it’s not getting it out to its containers, specifically one named whoogle
.
It’s definitely some routing issue, but I can’t make sense of it. docker
, ufw
, and firewalld
are not installed. As far as I can tell there is no firewall controller per-say.
Now I am trying this on the free oracle cloud Ubuntu 24.04 LTS which clearly brings with it weird rules, one of which is likely ruining it. But I can’t find what would be skewering the incusbr0
bridge. I have installed wireguard on port 1024
, but I don’t think it’s gonna mess with it since I’ve done that on other servers without issue. Incus is installed via apt without zabbly.
If anyone can help, that’d be great! Semi-appologies for the dump of outputs, it’s commands I saw others ask for when solving this problem.
/proc/sys/net/bridge
does not exist. Dump of
incus network show incusbr0
:
config:
ipv4.address: 10.120.169.1/24
ipv4.firewall: "true"
ipv4.nat: "true"
ipv6.address: fd42:70db:9779:2f39::1/64
ipv6.firewall: "true"
ipv6.nat: "true"
description: ""
name: incusbr0
type: bridge
used_by:
- /1.0/instances/whoogle
- /1.0/profiles/default
managed: true
status: Created
locations:
- none
incus list
:
+---------+---------+------+-----------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+------+-----------------------------------------------+-----------+-----------+
| whoogle | RUNNING | | fd42:70db:9779:2f39:216:3eff:fe90:ecda (eth0) | CONTAINER | 0 |
+---------+---------+------+-----------------------------------------------+-----------+-----------+
incus config show whoogle -e
:
architecture: x86_64
config:
image.architecture: amd64
image.description: Debian bookworm amd64 (20240922_05:24)
image.os: Debian
image.release: bookworm
image.serial: "20240922_05:24"
image.type: squashfs
image.variant: cloud
volatile.base_image: bd0b794ef3c2d9d61c9b2ee8ab0f4b40c95b9beecd917d5239b4fd68ffaf361f
volatile.cloud-init.instance-id: 395a5c74-1813-45d9-baad-ccb51b856594
volatile.eth0.host_name: veth468b55e1
volatile.eth0.hwaddr: 00:16:3e:90:ec:da
volatile.idmap.base: "0"
volatile.idmap.current: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.idmap.next: '[{"Isuid":true,"Isgid":false,"Hostid":1000000,"Nsid":0,"Maprange":1000000000},{"Isuid":false,"Isgid":true,"Hostid":1000000,"Nsid":0,"Maprange":1000000000}]'
volatile.last_state.idmap: '[]'
volatile.last_state.power: RUNNING
volatile.uuid: df9ebdc4-2e38-49c1-80b6-017d459922f8
volatile.uuid.generation: df9ebdc4-2e38-49c1-80b6-017d459922f8
devices:
eth0:
name: eth0
network: incusbr0
type: nic
root:
path: /
pool: default
type: disk
ephemeral: false
profiles:
- default
stateful: false
description: ""
ip link show
:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 02:00:17:05:2f:1c brd ff:ff:ff:ff:ff:ff
altname enp0s3
3: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8920 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/none
4: incusbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
link/ether 00:16:3e:75:d8:0d brd ff:ff:ff:ff:ff:ff
6: veth468b55e1@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master incusbr0 state UP mode DEFAULT group default qlen 1000
link/ether 86:c2:90:9b:53:58 brd ff:ff:ff:ff:ff:ff link-netnsid 0
iptables -L -n -v
:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
1611 489K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT 1 -- * * 0.0.0.0/0 0.0.0.0/0
74 7112 ACCEPT 0 -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 17 -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:123
26 1464 ACCEPT 6 -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
22 7005 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- wg0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- ens3 wg0 0.0.0.0/0 0.0.0.0/0
0 0 REJECT 0 -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 1166 packets, 1033K bytes)
pkts bytes target prot opt in out source destination
464 40061 InstanceServices 0 -- * * 0.0.0.0/0 169.254.0.0/16
Chain InstanceServices (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 6 -- * * 0.0.0.0/0 169.254.0.2 owner UID match 0 tcp dpt:3260 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 ACCEPT 6 -- * * 0.0.0.0/0 169.254.2.0/24 owner UID match 0 tcp dpt:3260 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 ACCEPT 6 -- * * 0.0.0.0/0 169.254.4.0/24 owner UID match 0 tcp dpt:3260 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 ACCEPT 6 -- * * 0.0.0.0/0 169.254.5.0/24 owner UID match 0 tcp dpt:3260 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 ACCEPT 6 -- * * 0.0.0.0/0 169.254.0.2 tcp dpt:80 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
82 8274 ACCEPT 17 -- * * 0.0.0.0/0 169.254.169.254 udp dpt:53 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 ACCEPT 6 -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:53 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 ACCEPT 6 -- * * 0.0.0.0/0 169.254.0.3 owner UID match 0 tcp dpt:80 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 ACCEPT 6 -- * * 0.0.0.0/0 169.254.0.4 tcp dpt:80 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
376 31331 ACCEPT 6 -- * * 0.0.0.0/0 169.254.169.254 tcp dpt:80 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 ACCEPT 17 -- * * 0.0.0.0/0 169.254.169.254 udp dpt:67 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 ACCEPT 17 -- * * 0.0.0.0/0 169.254.169.254 udp dpt:69 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
6 456 ACCEPT 17 -- * * 0.0.0.0/0 169.254.169.254 udp dpt:123 /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */
0 0 REJECT 6 -- * * 0.0.0.0/0 169.254.0.0/16 tcp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with tcp-reset
0 0 REJECT 17 -- * * 0.0.0.0/0 169.254.0.0/16 udp /* See the Oracle-Provided Images section in the Oracle Cloud Infrastructure documentation for security impact of modifying or removing this rule */ reject-with icmp-port-unreachable
nft list ruleset
:
# Warning: table ip filter is managed by iptables-nft, do not touch!
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
udp dport 1024 counter packets 0 bytes 0 accept
ct state related,established counter packets 1694 bytes 502202 accept
ip protocol icmp counter packets 0 bytes 0 accept
iifname "lo" counter packets 76 bytes 7322 accept
udp sport 123 counter packets 0 bytes 0 accept
ip protocol tcp ct state new tcp dport 22 counter packets 29 bytes 1644 accept
counter packets 22 bytes 7005 reject with icmp type host-prohibited
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
iifname "wg0" counter packets 0 bytes 0 accept
iifname "ens3" oifname "wg0" counter packets 0 bytes 0 accept
counter packets 0 bytes 0 reject with icmp type host-prohibited
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
ip daddr 169.254.0.0/16 counter packets 469 bytes 40484 jump InstanceServices
}
chain InstanceServices {
ip daddr 169.254.0.2 ip protocol tcp skuid 0 tcp dport 3260 counter packets 0 bytes 0 accept
ip daddr 169.254.2.0/24 ip protocol tcp skuid 0 tcp dport 3260 counter packets 0 bytes 0 accept
ip daddr 169.254.4.0/24 ip protocol tcp skuid 0 tcp dport 3260 counter packets 0 bytes 0 accept
ip daddr 169.254.5.0/24 ip protocol tcp skuid 0 tcp dport 3260 counter packets 0 bytes 0 accept
ip daddr 169.254.0.2 tcp dport 80 counter packets 0 bytes 0 accept
ip daddr 169.254.169.254 udp dport 53 counter packets 85 bytes 8593 accept
ip daddr 169.254.169.254 tcp dport 53 counter packets 0 bytes 0 accept
ip daddr 169.254.0.3 ip protocol tcp skuid 0 tcp dport 80 counter packets 0 bytes 0 accept
ip daddr 169.254.0.4 tcp dport 80 counter packets 0 bytes 0 accept
ip daddr 169.254.169.254 tcp dport 80 counter packets 378 bytes 31435 accept
ip daddr 169.254.169.254 udp dport 67 counter packets 0 bytes 0 accept
ip daddr 169.254.169.254 udp dport 69 counter packets 0 bytes 0 accept
ip daddr 169.254.169.254 udp dport 123 counter packets 6 bytes 456 accept
ip daddr 169.254.0.0/16 ip protocol tcp counter packets 0 bytes 0 reject with tcp reset
ip daddr 169.254.0.0/16 ip protocol udp counter packets 0 bytes 0 reject
}
}
# Warning: table ip nat is managed by iptables-nft, do not touch!
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority srcnat; policy accept;
}
chain OUTPUT {
type nat hook output priority dstnat; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "ens3" counter packets 162 bytes 13293 masquerade
oifname "ens3" counter packets 0 bytes 0 masquerade
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
iifname "wg0" counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
# Warning: table ip6 nat is managed by iptables-nft, do not touch!
table ip6 nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
}
chain INPUT {
type nat hook input priority srcnat; policy accept;
}
chain OUTPUT {
type nat hook output priority dstnat; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname "ens3" counter packets 0 bytes 0 # Warning: XT target MASQUERADE not found
xt target "MASQUERADE"
oifname "ens3" counter packets 0 bytes 0 # Warning: XT target MASQUERADE not found
xt target "MASQUERADE"
}
}
table inet incus {
chain pstrt.incusbr0 {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 10.120.169.0/24 ip daddr != 10.120.169.0/24 masquerade
ip6 saddr fd42:70db:9779:2f39::/64 ip6 daddr != fd42:70db:9779:2f39::/64 masquerade
}
chain fwd.incusbr0 {
type filter hook forward priority filter; policy accept;
ip version 4 oifname "incusbr0" accept
ip version 4 iifname "incusbr0" accept
ip6 version 6 oifname "incusbr0" accept
ip6 version 6 iifname "incusbr0" accept
}
chain in.incusbr0 {
type filter hook input priority filter; policy accept;
iifname "incusbr0" tcp dport 53 accept
iifname "incusbr0" udp dport 53 accept
iifname "incusbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
iifname "incusbr0" udp dport 67 accept
iifname "incusbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
iifname "incusbr0" udp dport 547 accept
}
chain out.incusbr0 {
type filter hook output priority filter; policy accept;
oifname "incusbr0" tcp sport 53 accept
oifname "incusbr0" udp sport 53 accept
oifname "incusbr0" icmp type { destination-unreachable, time-exceeded, parameter-problem } accept
oifname "incusbr0" udp sport 67 accept
oifname "incusbr0" icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, mld2-listener-report } accept
oifname "incusbr0" udp sport 547 accept
}
}