Thanks and I know that this question was asked during the lxd era.
Now I’d like to share something about my situation, or use case.
Some network forward rules has been setup for the lxc containers, thru the incus network stuff.
Then, there’re some more nft rules in the /etc/nftables.conf for the incus host.
So after each reboot, both nftables.service and incus.service works well, which means nft rules of both can be applied correctly.
But when I need to adjust the rules of nftables.service, I can ONLY use nft command to do it, but NOT a modified /etc/nftables.conf and systemctl restart nftables - because the nftables.service will flush all the nft rules (incus-related is flushed as well) and re-apply those in the conf file.
So the viable solutions for me right now can be:
- modifiy both the
nftables.confand the systemdnftables.servicefile to disable theflush ruleset- seems not a correct way to do this though. - seek alternative way to reload the incus initiated nft rules, something like
incus network reload fw-ruleswithout restarting any of the containers or changing any config. Then both (incus and nftables) services take care of their own stuff.
So, any suggestion, our experts?
Oh, I’ve got a not-kinda-good workaround.
Move all the host-related firewall rules from nft to xtables - then all the rules can be stored/reloaded thru netfilter-persistent.service (instead of the nftables.service) - now it won’t “fight against” the rules by incus.
I don’t think it’s a nice way to resolve this, again.