Nftable rules attempts to call rules before incus creates them on server boot

Skyrider · December 7, 2024, 1:18pm

Nov 19 11:16:38 skyrider nft[789]: ^^^^^^^^^^
Nov 19 11:16:38 skyrider nft[789]: /etc/nftables.conf:204:22-31: Error: Interface does not exist
Nov 19 11:16:38 skyrider nft[789]: ip6 saddr ::/0 oif “incusbr0” accept
Nov 19 11:16:38 skyrider nft[789]: ^^^^^^^^^^
Nov 19 11:16:38 skyrider nft[789]: /etc/nftables.conf:205:7-16: Error: Interface does not exist
Nov 19 11:16:38 skyrider nft[789]: iif “incusbr0” ip6 daddr ::/0 accept
Nov 19 11:16:38 skyrider nft[789]: ^^^^^^^^^^
Nov 19 11:16:38 skyrider systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Nov 19 11:16:38 skyrider systemd[1]: nftables.service: Failed with result ‘exit-code’.
Nov 19 11:16:38 skyrider systemd[1]: Failed to start nftables.service - nftables.
skyrider@skyrider:~$ sudo systemctl restart nftabledds
Failed to restart nftabledds.service: Unit nftabledds.service not found.

I noticed this after the server boots up, but works after I restart nftables. I assume the rules are called before incus could create them. Is this normal behavior?

stgraber · December 7, 2024, 8:46pm

Hmm, Incus itself never writes to /etc/nftables.conf, it just directly interacts with nftables through the nft command.

It looks like something dumped your system’s ruleset into /etc/nftables.conf and is trying to restore it prior to the network interfaces existing.