So this is probably a dumb question, but I’m trying to clean up my nftables rules on my server a bit. Right now, they’re just converted from iptables and it’s a total mess. I tried to create a new ruleset but then I wasn’t able to figure out how to get Incus to re-insert its rules for my networks. Is there an easy solution? I tried both restarting incus and toggling the firewall config option on the network on and off.
What does incus info | grep firewall: show you?
My guess is that because of the mix of iptables/nft, Incus may have noticed entries on the iptables side and decided to do iptables from now on rather than nft.
Otherwise, our firewall rules get applied whenever a network is restarted which happens during most configuration changes to the network as well as restarting Incus.
Sorry for takes a while to reply, was out of town for American Thanksgiving.
$ incus info | grep firewall
- network_firewall_filtering
- firewall_driver
firewall: xtables
Is there a way to switch it from xtables to nftables?
No, there’s no way to force it.
Normally the logic looks something like this:
- Check if nftables and tools are available, check that the kernel is recent enough and that nft seems to behave, then check if any rules already exist in nft
- If everything checks out and nft rules already exist, we’ll use nft
- If everything checks out but no rules are found, we’ll go and check xtables
- If xtables checks out and rules are found, then we go with xtables
- If xtables checks out and no rules are found, then we go nft if supported, if not we go xtables
- If neither check out, we go xtables
For nft the compat check is basically:
- Kernel >= 5.2
- nft command is accessible
- nft is 0.9.1 or higher
- Check that we can create and delete a test table
1 Like
Thanks. It looks like there’s actually some issues with the incus package on Gentoo that are the likely culprit here. It exclusively depends on iptables, so apparently I’ve still had iptables installed, and incus is setting iptables rules while I’m trying to use nftables.
I’ll create a Gentoo bug and see if they can update the package dependencies, hopefully that’ll clear things up for me. Thanks!
On my system I had both iptables and nfttables installed. I wanted to switch to nftables. But even with all iptables chains flushed and having some rules in nft incus kept using iptables.
Then I deinstalled iptables with the result that incus networks are not working anymore. So I could not convince incusd to use nftables.
~ # incus info | grep firewall:
firewall: xtables
~ #
Looking at the debug log I see:
DEBUG [2025-02-24T00:18:31+01:00] Firewall detected "nftables" incompatibility: Failed parsing nftables existing ruleset: EOF
In the incus code, you can see that it had already successfully created and deleted a test table at this point.
The problem here is that incus uses the json output format for nftables in the next test like nft --json -nn list ruleset, but json support is not compiled into nftables on gentoo by default. And the incus package is currently missing that detail in its dependencies.
~ # nft --json -nn list ruleset
JSON support not compiled-in
~ #
As far as I can see, incus uses --json only in this test, so @stgraber maybe it would be worth it to remove the --json option here to increase compatibilty?
1 Like