`incus network list-leases` missing an entry

candlerb · March 31, 2026, 6:37pm

incus 6.23 here. I have a bridge network which I’ve add an external interface to, and connected a client device. incus’ dnsmasq is acting as the DHCP server for this network.

The client device has picked up both IPv4 and IPv6 addresses. But incus network list-leases doesn’t show the IPv4 address (100.126.3.105), even though it’s visible in dnsmasq’s leases file.

Am I doing something wrong?

nsrc@brian-kit:~$ incus network list-leases wifi0
+----------+-------------+------------------------+---------+
| HOSTNAME | MAC ADDRESS |       IP ADDRESS       |  TYPE   |
+----------+-------------+------------------------+---------+
| *        |             | XXXX:XXX:XX:XXfc::13b8 | DYNAMIC |
+----------+-------------+------------------------+---------+
| wifi0.gw |             | XXXX:XXX:XX:XXfc::1    | GATEWAY |
+----------+-------------+------------------------+---------+
| wifi0.gw |             | 100.126.0.1            | GATEWAY |
+----------+-------------+------------------------+---------+

nsrc@brian-kit:~$ cat /var/lib/incus/networks/wifi0/dnsmasq.leases
1774984511 72:06:57:fe:7f:f8 100.126.3.105 Mac 01:72:06:57:fe:7f:f8
duid 00:01:00:01:31:5e:bf:aa:54:b2:03:0a:93:28
1774985015 0 XXXX:XXX:XX:XXfc::13b8 * 00:03:00:01:72:06:57:fe:7f:f8

nsrc@brian-kit:~$ incus network show wifi0
config:
  bridge.external_interfaces: eno1
  ipv4.address: 100.126.0.1/22
  ipv4.dhcp.ranges: 100.126.1.0-100.126.3.254
  ipv4.nat: "true"
  ipv6.address: XXXX:XXX:XX:XXfc::1/64
  ipv6.dhcp.ranges: XXXX:XXX:XX:XXfc::1000-XXXX:XXX:XX:XXfc::1fff
  ipv6.dhcp.stateful: "true"
  ipv6.nat: "false"
description: ""
name: wifi0
type: bridge
used_by: []
managed: true
status: Created
locations:
- none
project: default

stgraber · April 1, 2026, 2:16am

Incus always filters the entries based on the list of MAC addresses present in your current project. That’s effectively to avoid leaking information about other projects when they share a network.

This also causes any unknown MAC (not in the current project’s MAC address list) to be dropped.

candlerb · April 1, 2026, 6:44am

But “current project” is a client-side concept, isn’t it? (If you mean incus project switch).

When I issue the command with --debug I see the API request being made to http://unix.socket/1.0/networks/wifi0/leases - the project name isn’t included. I can also see that the response doesn’t include the “missing” lease, so it’s not being filtered client-side.

stgraber · April 1, 2026, 12:19pm

Projects are a server side concept, when not specified, it’s parsed as default.

candlerb · April 1, 2026, 12:31pm

I see, thanks. incus network list-leases wifi0 --project=nsrc-builder --debug makes a request to http://unix.socket/1.0/networks/wifi0/leases?project=nsrc-builder

nsrc@brian-kit:~/vtp-build$ incus network list-leases wifi0 --project nsrc-builder
+----------+-------------+------------------------+---------+
| HOSTNAME | MAC ADDRESS |       IP ADDRESS       |  TYPE   |
+----------+-------------+------------------------+---------+
| unifi    |             | XXXX:XXX:XX:XXfc::1f7a | DYNAMIC |
+----------+-------------+------------------------+---------+
nsrc@brian-kit:~/vtp-build$ incus network list-leases wifi0 --project default
+----------+-------------------+------------------------+---------+
| HOSTNAME |    MAC ADDRESS    |       IP ADDRESS       |  TYPE   |
+----------+-------------------+------------------------+---------+
| unifi    | 10:66:6a:49:c6:51 | 100.126.0.234          | STATIC  |
+----------+-------------------+------------------------+---------+
| unifi    |                   | XXXX:XXX:XX:XXfc::1f7a | DYNAMIC |
+----------+-------------------+------------------------+---------+
| wifi0.gw |                   | XXXX:XXX:XX:XXfc::1    | GATEWAY |
+----------+-------------------+------------------------+---------+
| wifi0.gw |                   | 100.126.0.1            | GATEWAY |
+----------+-------------------+------------------------+---------+

Presumably the IPv6 leases can’t be associated with a project (perhaps because assigned via duid rather than MAC address?) so are unfiltered.

As an incus administrator, and/or as a user in a project with no features or restrictions enabled, it would be nice to have a global view of the leases on a network.