So actually only ovn
NICs support using security.acls
at the NIC level.
The bridged
NICs do not support this, and only support ACLs being assigned at the managed network level.
This is due to a limitation in the netfilter framework in the kernel not providing sufficient information when doing intra-bridge filtering, see How to configure network ACLs - LXD documentation
But in principle because the routed
NICs do not have a bridge, and thus are not affected by intra-bridge filtering limtations, they could be made to be able to have ACLs associated to them.
But because they do not have a managed network to actually store the rules (the current underlying DB tables that store the rules are keyed to network ID), it would need a new set of DB tables, as well as API and CLI extensions in order to allow the rules to be created/managed at the NIC level before being able to be assigned to the NIC itself.