When I delete a port forward, the iptables rules are not deleted.

[viniciusbarretobr]

Required information

• Distribution: Debian
• Distribution version: Debian GNU/Linux 11 (bullseye)
• The output of "inc info" or if that fails:
  • Kernel version: 5.10.0-26-cloud-amd64
  • LXC version: bash: "root@incus-1:/home/debian# lcx: lcx: command not found"
  • Incus version: 0.3
  • Storage backend in use: dir

Issue description

When I delete a port forward, the iptables rules are not deleted. They only disappear after we restart the main operating system

Steps to reproduce

1. Create a forward port for an ip
2. delete a forward
3. Run the command "iptables -nvL -t nat" and see that the rules are still there.

Information to attach

• [ ] Any relevant kernel output (dmesg)
• [ ] Container log (inc info NAME --show-log)
• [ ] Container configuration (inc config show NAME --expanded)
• [ ] Main daemon log (at /var/log/incus/incus.log)
• [ ] Output of the client with --debug
• [ ] Output of the daemon with --debug (alternatively output of inc monitor while reproducing the issue)

[stgraber]

Can you show the incus info output? I'd like to know what firewall driver Incus is using.

[stgraber]

Okay, so the issue is that your system must have been using the iptables nft shim.

You can avoid this by either installing the nftables package or using update-alternatives to switch iptables, ip6tables and ebtables to their "real" binary (legacy).

You must have been getting an error on Incus startup in your incusd.log pointing that situation out.

I found a way to workaround this particular issue so it will work with the nft wrapper tools, but that's not really a setup that we can reliably support, so it'd be best to either fully go back to the old xtables or fully switch to nftables.