Location of netfilter file used by incus when it startups

I changed the firewall from UFW to netfilter (nft). When I start/restart incus service, i see that the incus has built nft table called incus. When I make changes to the host netfilter file (/etc/nftables.conf) and reload using nft -f, the incus nft configuration is lost.

What I would like to do is include the incus netfilter rules in to nftables.conf so that it retains those rules when i change/add main netfilter rules.

Btw I am using Ubuntu 22.04, can someone please point me where it is located or how I can solve this. Thanks in advance.


No files, Incus directly pushes nft rules into nftables.

I think the problem here is that your way of altering nft rules is to flush the entire ruleset and repopulate from /etc/nftables.conf, that will wipe rules from any other tool directly using nftables, whether that’s Incus, Docker or anything else on the system.

I’ve not used /etc/nftables.conf in the past, but I suspect it’s basically the same syntax as nft list ruleset so is a way to apply a baseline ruleset on startup. After that you probably should perform changes directly through regular nft commands and then save the resulting ruleset to /etc/nftables.conf (basically /etc/nfables.conf is the new iptables-save).

Thank you for your help. I not sure regarding last sentence. If I understand what you are saying is that once I have applied rules manually 1 nft statement at a time and then I should copy those rules to nftables.conf file for later use when the system reboots?

My second questions maybe more of trying to understand. when incus binary is executed it builds the nft tables and rules. I assume the interface information is coming from sqlite database. why cant the rules get stored on that database and be able say use admin and subcommand to reapply firewall rules? just a question if it is not possible - I understand.

Thank you again