Thanks for the words - didn’t quite know what to center my search on but that helped a lot!
I was able to get it working by mimicking the rules that Incus (I assume) made for incusbr0 per nft list ruleset.
This got DHCP to work and gave the container an ipv4 address, but no internet access still.
iptables -I INPUT -i incusbr0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
These were from mimicking the nftables more:
iptables -I INPUT -i incusbr0 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i incusbr0 -p tcp --dport 53 -j ACCEPT
iptables -I INPUT -i incusbr0 -p udp --dport 547 -j ACCEPT
These sealed the deal, ipv4 did require the callout to the original network interface ens3 to finally work.
iptables -I FORWARD -i ens3 -o incusbr0 -j ACCEPT
iptables -I FORWARD -i incusbr0 -j ACCEPT
ip6tables -I FORWARD -i incusbr0 -j ACCEPT
I’m not sure if any are superfluous, but the container can access apt now. I wasn’t able to make output rules in iptables that tied to incusbr0, so skipped that but it didn’t matter. Guessing output is good to go due to its unrestricted rule. Also not sure why nftables is ignored for iptables, everything I read says they should “work together to bridge old and new” or something.
Thanks again!!