Nftables firewall rules not restored after lxd service reload

Greeting everyone!

First I would like to say hi to everyone as im new on this forum.

I discovered a strange behavior in LXD, it may be a bug but I wanted to first check on the forum before filling a bug report on github.

I have Ubuntu Focal with LXD 4.24 installed through snap and on the same system there is a firewall configured with nftables.

LXD correctly detects that nftables should be used:

root@lxdtest2:~# lxc info | grep firewall                                                                                                                                                                                                    
- network_firewall_filtering                                                                                                                                                                                                                 
- firewall_driver                                                                                                                                                                                                                            
  firewall: nftables                                                                                                                                                                                                                         

Now the actual strange behavior I encountered:

If I create a container testcont1 and configure it with a routed nic:

lxc config device add testcont1 eth0 nic name=eth0 nictype=routed ipv4.address=192.168.241.102

uppon starting the container LXD will create a table with some rules:

root@lxdtest2:~# nft list table inet lxd
table inet lxd {
        chain prert.testcont1.eth0 {
                type filter hook prerouting priority raw; policy accept;
                iif "vethf9fd041e" fib saddr . iif oif missing drop
        }
}

When I restart nftables firewall this table gets flushed and this is the expected behavior, however When I run systemctl reload snap.lxd.daemon.service it does not get restored, I have to stop and start the container for it to be restored:

root@lxdtest2:~# systemctl restart nftables.service
root@lxdtest2:~# nft list table inet lxd
Error: No such file or directory
list table inet lxd
                ^^^
root@lxdtest2:~# systemctl reload snap.lxd.daemon.service
root@lxdtest2:~# nft list table inet lxd
Error: No such file or directory
list table inet lxd
                ^^^
root@lxdtest2:~# lxc restart testcont1
root@lxdtest2:~# nft list table inet lxd
table inet lxd {
        chain prert.testcont1.eth0 {
                type filter hook prerouting priority raw; policy accept;
                iif "veth9bbc3251" fib saddr . iif oif missing drop
        }
}

I am unsure if I should expect LXD to restore this rules with a service reload, there are a few posts [1] [2] on this forum that are hinting that reload should restore firewall rules. Should I file a bug report or is it expected behavior?

If you need any more information I will be happy to assist!

LXD will restore firewall rules added by its managed networks when it starts (because they start on LXD start).

However it doesn’t currently re-add instance device level firewall rules (added by nic or proxy in nat=true mode).

In general instance level system changes are not re-applied until the instance is started again.

So this is expected behavior, thanks for explanation!