I don’t seem to be able to add a network.acls key to a routed device. Am I correct in presuming that the acls feature only applies to plain bridge and OVN networks at present?
Is there a roadmap plan to add support for routed devices? (goal is to have net devices where I can assign/enforce external IPV4s to the machine from outside the container, rather than inside)
I also hit some troubles trying to assign network.acls to an unmanaged bridge, ie where the host machine has a bridge with public IPV4 on it, and the container is a device attached to that bridge in order to get an external IP address. Is this a supported setup for net ACLs at present? (ie am I just getting the config wrong and it should be possible?)
Because network ACLs require somewhere to store the associated rules for each ACL they can only be applied to managed networks. This is why they are not supported on routed NICs or unmanaged bridges - neither have an associated managed network.
There isn’t anything on the roadmap at this time to support ACLs for NICs without managed networks.
You can add firewall rules to the host directly though and use the host_name property of the routed NIC so that it has a predicable interface name on the host side.
So actually only ovn NICs support using security.acls at the NIC level.
The bridged NICs do not support this, and only support ACLs being assigned at the managed network level.
But in principle because the routed NICs do not have a bridge, and thus are not affected by intra-bridge filtering limtations, they could be made to be able to have ACLs associated to them.
But because they do not have a managed network to actually store the rules (the current underlying DB tables that store the rules are keyed to network ID), it would need a new set of DB tables, as well as API and CLI extensions in order to allow the rules to be created/managed at the NIC level before being able to be assigned to the NIC itself.
However we do support the concept of external networks (where they don’t actually set anything up on the host but rather are just presets of configuration info).
In principle routed NICs could be made to support using a physical network to get its parent interface setting and then that could be modified to allow storing ACL rules. As by that point it is effectively a managed network.
At the moment physical networks are just used for OVN uplink networks.