Firewall: Nftable don't found incusbr0 at boot

Incus
1

What i Try

I try t setup a nftable firewall for incus. I use Debian.

The firewall shut block all traffic that is not ssh.
Incus create by it self rules to allow the network Traffic what are createt by Incus network forward .... Without the firewall my setup works.

The firewall is:
/etc/nftables.conf

#!/usr/sbin/nft -f

# flush ruleset
table inet filter
delete table inet filter

table inet filter {

	chain input {
		type filter hook input priority filter; policy drop;
		
		iif lo accept
		
		ct state established, related accept
	
		tcp dport 6312 ct state new accept		

		ct state invalid drop
	}
	chain forward {
		type filter hook forward priority filter; policy drop;
		
		ct state established,related accept
		
		iif incusbr0 oif incusbr0 accept
		iif enp0s31f6 oif incusbr0 accept
		iif "incusbr0" oif "enp0s31f6" accept
		
		ct state invalid drop
		

	}
	chain output {
		type filter hook output priority filter; policy accept;
	}
}

i use

table inet filter
delete table inet filter

and not the default Rekommandation

flush ruleset

because it flush all rules also the incus rules.

Problem

nft fail do start

`
nftables.service - nftables
Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: enabled)
Active: failed (Result: exit-code) since Mon 2025-06-16 01:06:00 CEST; 1min 25s ago
Docs: man:nft(8)
http://wiki.nftables.org
Process: 257 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
Main PID: 257 (code=exited, status=1/FAILURE)
CPU: 11ms

Jun 16 01:06:00 hades nft[257]: ^^^^^^^^
Jun 16 01:06:00 hades nft[257]: /etc/nftables.conf:26:21-28: Error: Interface does not exist
Jun 16 01:06:00 hades nft[257]: iif enp0s31f6 oif incusbr0 accept
Jun 16 01:06:00 hades nft[257]: ^^^^^^^^
Jun 16 01:06:00 hades nft[257]: /etc/nftables.conf:27:7-16: Error: Interface does not exist
Jun 16 01:06:00 hades nft[257]: iif “incusbr0” oif “enp0s31f6” accept
`

nft dont found the incusbr0 and failed.

Attempt

if i run

sudo systemctl restart nftables.service

it don’t fail.
Everything works how it shut be.

After a restart of the system nftable failed and nothing works.

My guess it that nftable starts and loade the table before incus starts and create its brige ans rulesets.

Questions

How can i setup the nftable that it detects the incusbr0 brige?
or
How can i setup nftable on another way that it blocks all traffic?
Any recomandatons for the firewall setup?

2

Hello and welcome,

from reading it seems like your nft rules include all incus rules to. Loading them fails as your firewall is started before incus. At that time there is no incusbr0 interface available. For more details take a look at the documentation How to configure your firewall - Incus documentation

There are two options to solve this:

  • Edit your saved rules and delete all Incus rules, they will be added automatically during Incus start
  • disable Incus firewall management and start your firewall after incus has been started

Each of them have their advantages, it all depends on your requirements how you want to manage your firewall.

3

How i understand if i disable the incus firewall incs don’t add his nftables rules any more and i need to setup all by myselfe. The intern dns ports the brige the networkr forward or proxys etc.
Most i can copy past but when i add instances it get fast complicated.

I try to convert the UFW rules to nftables:

sudo ufw allow in on incusbr0
sudo ufw route allow in on incusbr0
sudo ufw route allow out on incusbr0

iifname and not iif and nftable dont fail to start at boottime

The rules look like this:

#!/usr/sbin/nft -f

#flush ruleset
table inet filter
flush table inet filter

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		iif lo accept

		iifname incusbr0 accept

		ct state established, related accept
		tcp dport 6312 ct state new accept
		ct state invalid drop
	}
	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established, related accept

		iifname incusbr0 accept
		oifname incusbr0 accept

		ct state invalid drop
	}
	chain output {
		type filter hook output priority filter; policy accept;
	}
}

Every thing looks like to work how it shut be.

I don’t test this setup at this point commplity, maby i found time later.