diff --git a/doc/howto/network_acls.md b/doc/howto/network_acls.md index ca786464c..70f0d9191 100644 --- a/doc/howto/network_acls.md +++ b/doc/howto/network_acls.md @@ -83,6 +83,7 @@ Incus automatically orders the rules based on the `action` property as follows: This means that when you apply multiple ACLs to a NIC, there is no need to specify a combined rule ordering. If one of the rules in the ACLs matches, the action for that rule is taken and no other rules are considered. +(network-acls-rules-properties)= ### Rule properties ACL rules have the following properties: @@ -111,6 +112,23 @@ The `source` field (for ingress rules) and the `destination` field (for egress r With this method, you can use ACL groups or network selectors to define rules for groups of instances without needing to maintain IP lists or create additional subnets. +(network-acls-address-sets)= +### Use address sets in rules + +```{note} +This feature is supported only for the {ref}`bridge network using ` `nftables` and the {ref}`network-ovn`. +``` + +The `source` field (for ingress rules) and the `destination` field (for egress rules) support using address sets. + +With this feature you can create groups of addresses and / or networks to match rules against. You can eventually mix them with literals addresses and CIDR. + +To use one in a rule: + +``` +source=\$ +``` + (network-acls-groups)= #### ACL groups diff --git a/doc/howto/network_address_sets.md b/doc/howto/network_address_sets.md new file mode 100644 index 000000000..bde9c0808 --- /dev/null +++ b/doc/howto/network_address_sets.md @@ -0,0 +1,59 @@ +(network-address-sets)= +# How to use network address sets + +```{note} +Network address sets are working with {ref}`ACLs ` and work only with {ref}`network-ovn` or with {ref}`bridged networks ` using `nftables` only. +``` + +Network address sets are a list of either IPv4, IPv6 addresses with or without CIDR suffix. They can be used in source or destination fields of {ref}`ACLs `. + +## Address set properties + +Address sets have the following properties: + +Property | Type | Required | Description +:-- | :-- | :-- | :-- +`name` | string | yes | Name of the network address set +`description` | string | no | Description of the network address set +`addresses` | string list | no | Ingress traffic rules + +## Address set configuration options + +The following configuration options are available for all network address sets: + +% Include content from [../config_options.txt](../config_options.txt) +```{include} ../config_options.txt + :start-after: + :end-before: +``` + +## Creating an address set + +Use the following command to create an address set. + +```bash +incus network address-set create [configuration_options...] +``` + +This will create an address set without any addresses, after this you can {ref}`add addresses `. + +(manage-addresses-in-set)= +## Add or remove addresses + +Adding addresses is pretty straightforward: + +```bash +incus network address-set add +``` + +There is no restriction about the kind of address you are appending in your set, a mix of IPv4, IPv6 and CIDR can be used without disruption. + +To remove addresses, the same `remove` command can be used instead. + +```bash +incus network address-set remove +``` + +## Use of address sets in ACL rules + +In order to use an address set in an {ref}`ACL `, we need to prepend `name` with `$` (you need to escape the dollar in command line). Then we can refer the address set in `source` or `destination` fields of an ACL rule. diff --git a/doc/networks.md b/doc/networks.md index 547adc7e8..f9a878cf6 100644 --- a/doc/networks.md +++ b/doc/networks.md @@ -8,6 +8,7 @@ Create and configure a network Configure a network Configure network ACLs +Configure network address sets Configure network forwards Configure network integrations Configure network zones