So this is probably a dumb question, but I’m trying to clean up my nftables rules on my server a bit. Right now, they’re just converted from iptables and it’s a total mess. I tried to create a new ruleset but then I wasn’t able to figure out how to get Incus to re-insert its rules for my networks. Is there an easy solution? I tried both restarting incus and toggling the firewall config option on the network on and off.
What does incus info | grep firewall: show you?
My guess is that because of the mix of iptables/nft, Incus may have noticed entries on the iptables side and decided to do iptables from now on rather than nft.
Otherwise, our firewall rules get applied whenever a network is restarted which happens during most configuration changes to the network as well as restarting Incus.
Sorry for takes a while to reply, was out of town for American Thanksgiving.
$ incus info | grep firewall
- network_firewall_filtering
- firewall_driver
firewall: xtables
Is there a way to switch it from xtables to nftables?
No, there’s no way to force it.
Normally the logic looks something like this:
- Check if nftables and tools are available, check that the kernel is recent enough and that nft seems to behave, then check if any rules already exist in nft
- If everything checks out and nft rules already exist, we’ll use nft
- If everything checks out but no rules are found, we’ll go and check xtables
- If xtables checks out and rules are found, then we go with xtables
- If xtables checks out and no rules are found, then we go nft if supported, if not we go xtables
- If neither check out, we go xtables
For nft the compat check is basically:
- Kernel >= 5.2
- nft command is accessible
- nft is 0.9.1 or higher
- Check that we can create and delete a test table
1 Like
Thanks. It looks like there’s actually some issues with the incus package on Gentoo that are the likely culprit here. It exclusively depends on iptables, so apparently I’ve still had iptables installed, and incus is setting iptables rules while I’m trying to use nftables.
I’ll create a Gentoo bug and see if they can update the package dependencies, hopefully that’ll clear things up for me. Thanks!