Network ACLs possible on routed devices?

So actually only ovn NICs support using security.acls at the NIC level.
The bridged NICs do not support this, and only support ACLs being assigned at the managed network level.

This is due to a limitation in the netfilter framework in the kernel not providing sufficient information when doing intra-bridge filtering, see How to configure network ACLs - LXD documentation

But in principle because the routed NICs do not have a bridge, and thus are not affected by intra-bridge filtering limtations, they could be made to be able to have ACLs associated to them.

But because they do not have a managed network to actually store the rules (the current underlying DB tables that store the rules are keyed to network ID), it would need a new set of DB tables, as well as API and CLI extensions in order to allow the rules to be created/managed at the NIC level before being able to be assigned to the NIC itself.