Questions about network ACLs

,
1

Hello,

I’m playing a bit with ACLs but I must tell I find them difficult to grasp and configure compared to a nftables/iptables firewall.

I may be missing something obvious, hence my questions!

For example:

  • When adding a rule, there apparently is no “forward” equivalent, one has to play with ingress&egress, additionally it does not seem possible to specify a ‘source’ for a egress rule nor a ‘destination’ for an ingress one:

    => how does one add a rule specifically matching a given ‘source’ and ‘destination’ (only for traffic in the forward chain)?

  • The doc says that acl rules are ordered based on the action property like this:

image
image683×175 14.3 KB

  • => I find this disturbing as we usually allow the traffic we want and deny everything else, this seems the other way around, is there a reason?

  • From the same documentation page: “If one of the rules in the ACLs matches, the action for that rule is taken and no other rules are considered.

    => How to deny outgoing traffic to 10.11.12.0/24 while still allowing outgoing traffic to 10.11.12.13/32 ?

  • Are the ACLs converted to nftables rules at some point? How does it work? Can we see the ruleset? Or even edit it?

  • Am I missing something? Is there a better way to configure the firewall ruleset on incusOS than ACLs?

Thank you!

2
  1. Everything can be seen as forward
  2. It says that any rule with the drop action will be applied first, then any rule with reject, then any rule with allow and finally the default action is applied, which defaults to reject. That matches your expectation, if you put allow rules for the traffic you want, everything else will hit the default action which will then cause a reject. If you want to specifically drop or reject some traffic which your less specific allowrule would otherwise allow, then putting a drop or reject rule will work as that gets applied before the allow.
  3. Put an allow rule for 10.11.12.13/32 and let the default action reject the rest
  4. The ACL mechanism was designed for OVN, that’s where all features are available, but we do also support it with regular bridges, in which case they do get turned into nftables rules. You can see the ruleset with nft list ruleset but the rules are directly pushed by Incus and can’t be modified.
  5. For traffic to instances running on a bridge, the network ACLs feature is going to be the way to go. Though note that IncusOS also has a separate firewall feature to control traffic coming for the host itself (meant to restrict access on the management/WAN interface).
3

Thanks!

  1. Oh :face_with_peeking_eye: For some reason, I was indeed missing the default action in my reasoning!Thanks for clarifing that up :+1:

  2. ok, and out of curiosity, as I’m using incusOS, is there a way to see the nftables ruleset through the incus client? I cannot find how :thinking:

  3. ok! And about the separate firewall feature to restrict access on the management interface, do you mean the core.https_address property? (I’ve searched through the doc How to expose Incus to the network but could not find something more granular?)

Anyway, thanks again for your time, I really appreciate it:-)

4

Nope but it’s something we’re likely to be adding as we’re growing our set of debug APIs.

Network - IncusOS documentation incus-os/incus-osd/api/system_network.go at main · lxc/incus-os · GitHub

1 Like