incusd/device/nic/ovn: Handle address set when cleaing ACLs

Signed-off-by: Isidore Reinhardt <pro.irhndt@4fk.fr>

internal/server/device/nic_bridged.go

@@ -32,6 +32,7 @@ import (
 	"github.com/lxc/incus/v6/internal/server/ip"
 	"github.com/lxc/incus/v6/internal/server/network"
 	"github.com/lxc/incus/v6/internal/server/network/acl"
+	addressSet "github.com/lxc/incus/v6/internal/server/network/address-set"
 	"github.com/lxc/incus/v6/internal/server/project"
 	"github.com/lxc/incus/v6/internal/server/resources"
 	localUtil "github.com/lxc/incus/v6/internal/server/util"
@@ -1087,6 +1088,12 @@ func (d *nicBridged) removeFilters(m deviceConfig.Device) {
 	if err != nil {
 		logger.Errorf("Failed to remove DHCP network assigned filters  for %q: %v", d.name, err)
 	}
+
+	d.logger.Debug("Clearing instance firewall unused address sets")
+	err = d.state.Firewall.NetworkDeleteAddressSetsIfUnused("bridge")
+	if err != nil {
+		logger.Errorf("Failed to remove network address set for %q: %v", d.name, err)
+	}
 }
 
 // setFilters sets up any network level filters defined for the instance.
@@ -1181,12 +1188,21 @@ func (d *nicBridged) setFilters() (err error) {
 	}
 
 	var aclRules []firewallDrivers.ACLRule
-
+	var aclNames []string
 	if config["security.acls"] != "" {
+		aclNames = util.SplitNTrimSpace(config["security.acls"], ",", -1, false)
 		aclRules, err = acl.FirewallACLRules(d.state, d.name, d.inst.Project().Name, d.config)
 		if err != nil {
 			return err
 		}
+
+		// Ensure address sets for ACL, we state bridge because
+		// this is the table firewall driver will use for this kind of NIC.
+		err = addressSet.FirewallApplyAddressSetsForACLRules(d.state, "bridge", d.inst.Project().Name, aclNames)
+		if err != nil {
+			return err
+		}
+
 	}
 
 	err = d.state.Firewall.InstanceSetupBridgeFilter(d.inst.Project().Name, d.inst.Name(), d.name, d.config["parent"], d.config["host_name"], d.config["hwaddr"], IPv4Nets, IPv6Nets, d.network != nil, util.IsTrue(config["security.mac_filtering"]), aclRules)

internal/server/device/nic_ovn.go

@@ -25,6 +25,7 @@ import (
 	"github.com/lxc/incus/v6/internal/server/ip"
 	"github.com/lxc/incus/v6/internal/server/network"
 	"github.com/lxc/incus/v6/internal/server/network/acl"
+	addressset "github.com/lxc/incus/v6/internal/server/network/address-set"
 	"github.com/lxc/incus/v6/internal/server/network/ovn"
 	"github.com/lxc/incus/v6/internal/server/project"
 	"github.com/lxc/incus/v6/internal/server/resources"
@@ -807,6 +808,12 @@ func (d *nicOVN) Update(oldDevices deviceConfig.Devices, isRunning bool) error {
 			}
 		}
 
+		// Setup address sets for new ACLs
+		_, err := addressset.OVNEnsureAddressSetsViaACLs(d.state, d.logger, d.ovnnb, d.network.Project(), newACLs)
+		if err != nil {
+			return fmt.Errorf("Failed removing unused OVN address sets: %w", err)
+		}
+
 		// Setup the logical port with new ACLs if running.
 		if isRunning {
 			// Load uplink network config.
@@ -843,7 +850,12 @@ func (d *nicOVN) Update(oldDevices deviceConfig.Devices, isRunning bool) error {
 		}
 
 		if len(removedACLs) > 0 {
-			err := acl.OVNPortGroupDeleteIfUnused(d.state, d.logger, d.ovnnb, d.network.Project(), d.inst, d.name, newACLs...)
+			err := addressset.OVNDeleteAddressSetsViaACLs(d.state, d.logger, d.ovnnb, d.network.Project(), removedACLs)
+			if err != nil {
+				return fmt.Errorf("Failed removing unused OVN address sets: %w", err)
+			}
+
+			err = acl.OVNPortGroupDeleteIfUnused(d.state, d.logger, d.ovnnb, d.network.Project(), d.inst, d.name, newACLs...)
 			if err != nil {
 				return fmt.Errorf("Failed removing unused OVN port groups: %w", err)
 			}

internal/server/network/driver_ovn.go

@@ -4484,6 +4484,11 @@ func (n *ovn) InstanceDevicePortStart(opts *OVNInstanceNICSetupOpts, securityACL
 			return "", nil, fmt.Errorf("Failed clearing OVN default ACL rules for instance NIC: %w", err)
 		}
 
+		err := addressset.OVNAddressSetsDeleteIfUnused(n.state, n.logger, n.ovnnb, n.Project())
+		if err != nil {
+			return "", nil, fmt.Errorf("Failed removing unused OVN address sets: %w", err)
+		}
+
 		n.logger.Debug("Cleared NIC default rule", logger.Ctx{"port": instancePortName})
 	}