On my system I had both iptables and nfttables installed. I wanted to switch to nftables. But even with all iptables chains flushed and having some rules in nft incus kept using iptables.
Then I deinstalled iptables with the result that incus networks are not working anymore. So I could not convince incusd to use nftables.
~ # incus info | grep firewall:
firewall: xtables
~ #
Looking at the debug log I see:
DEBUG [2025-02-24T00:18:31+01:00] Firewall detected "nftables" incompatibility: Failed parsing nftables existing ruleset: EOF
In the incus code, you can see that it had already successfully created and deleted a test table at this point.
The problem here is that incus uses the json output format for nftables in the next test like nft --json -nn list ruleset, but json support is not compiled into nftables on gentoo by default. And the incus package is currently missing that detail in its dependencies.
~ # nft --json -nn list ruleset
JSON support not compiled-in
~ #
As far as I can see, incus uses --json only in this test, so @stgraber maybe it would be worth it to remove the --json option here to increase compatibilty?