Unable to use xtables due to hard dependency on nftables

[gianfurrer]

I'm currently trying to switch from LXD to Incus. I am still depending on the xtables firewall.

Since this commit, nftables seems to be a hard dependency. And since nftables seems to get prioritized over xtables (according to this code) I don't see a way to make incus use the xtables firewall anymore:

incus info | grep firewall
- network_firewall_filtering
- firewall_driver
  firewall: nftables

Is this intentional? And if so, is there a way to still depend on xtables as firewall in Incus?

[stgraber]

Incus will use xtables if xtables is detected to already have some rules loaded at the time Incus starts.

But not that this is only true if your system uses the real xtables. Both Debian and Ubuntu default to having xtables drive nft behind the scenes.

[gianfurrer]

I assume with real xtables you mean iptables-legacy instead of iptables-nft? If so, then that is the case in my scenario.

Incus will use xtables if xtables is detected to already have some rules loaded at the time Incus starts.

I just reinstalled incus while making sure that I have xtables entries and now it actually uses xtables, so thanks for that!

But is it still possible to have nftables as an optional dependency again? I don't see a reason to have it installed when depending on xtables and it also wasn't necessary in the past.

Additionally, https://packages.ubuntu.com/noble/incus also still mentions that either nftables or iptables is required.