Incus: Difference between revisions
replace lxd with incus in image information |
Document unexpected interaction between Incus and the NixOS nftables Firewall implementation on hosts which have a stateVersion value older than 23.11. |
||
| Line 90: | Line 90: | ||
OR, the entire intreface can be trusted. <syntaxhighlight lang="nix"> | OR, the entire intreface can be trusted. <syntaxhighlight lang="nix"> | ||
networking.firewall.trustedInterfaces = [ "incusbr0" ]; | networking.firewall.trustedInterfaces = [ "incusbr0" ]; | ||
</syntaxhighlight> | |||
Prior to version [https://nixos.org/blog/announcements/2023/nixos-2311/ NixOS 23.11 "Tapir"] the default behavior of the NixOS nftables [[Firewall]] implementation was to flush the full ruleset at any change to the nftables rules. This behavior has since been changed; however, for back-portability, it still persists in configurations with a {{nixos:option|system.stateVersion}} value set prior to <code>"23.11"</code>. This often results in the Incus ruleset table (named "incus") being wiped, resulting in loss of connectivity across VMs and containers. To prevent this from occurring on affected NixOS instances, the new implementation has to be enabled manually.<syntaxhighlight lang="nix"> | |||
networking.nftables.flushRuleset = false; | |||
</syntaxhighlight> | </syntaxhighlight> | ||