doc: Add documentation for network address sets

Signed-off-by: Isidore Reinhardt <pro.irhndt@4fk.fr>

doc/howto/network_acls.md

@@ -83,6 +83,7 @@ Incus automatically orders the rules based on the `action` property as follows:
 This means that when you apply multiple ACLs to a NIC, there is no need to specify a combined rule ordering.
 If one of the rules in the ACLs matches, the action for that rule is taken and no other rules are considered.
 
+(network-acls-rules-properties)=
 ### Rule properties
 
 ACL rules have the following properties:
@@ -111,6 +112,23 @@ The `source` field (for ingress rules) and the `destination` field (for egress r
 
 With this method, you can use ACL groups or network selectors to define rules for groups of instances without needing to maintain IP lists or create additional subnets.
 
+(network-acls-address-sets)=
+### Use address sets in rules
+
+```{note}
+This feature is supported only for the {ref}`bridge network using <network-bridge-firewall>` `nftables` and the {ref}`network-ovn`.
+```
+
+The `source` field (for ingress rules) and the `destination` field (for egress rules) support using address sets.
+
+With this feature you can create groups of addresses and / or networks to match rules against. You can eventually mix them with literals addresses and CIDR.
+
+To use one in a rule:
+
+```
+source=\$<name>
+```
+
 (network-acls-groups)=
 #### ACL groups
 

doc/howto/network_address_sets.md

@@ -0,0 +1,59 @@
+(network-address-sets)=
+# How to use network address sets
+
+```{note}
+Network address sets are working with {ref}`ACLs <network-acls>` and work only with {ref}`network-ovn` or with {ref}`bridged networks <network-bridge-firewall>` using `nftables` only.
+```
+
+Network address sets are a list of either IPv4, IPv6 addresses with or without CIDR suffix. They can be used in source or destination fields of {ref}`ACLs <network-acls-rules-properties>`.
+
+## Address set properties
+
+Address sets have the following properties:
+
+Property         | Type         | Required | Description
+:--              | :--          | :--      | :--
+`name`           | string       | yes      | Name of the network address set
+`description`    | string       | no       | Description of the network address set
+`addresses`      | string list  | no       | Ingress traffic rules
+
+## Address set configuration options
+
+The following configuration options are available for all network address sets:
+
+% Include content from [../config_options.txt](../config_options.txt)
+```{include} ../config_options.txt
+    :start-after: <!-- config group network_address_set-common start -->
+    :end-before: <!-- config group network_address_set-common end -->
+```
+
+## Creating an address set
+
+Use the following command to create an address set.
+
+```bash
+incus network address-set create <name> [configuration_options...]
+```
+
+This will create an address set without any addresses, after this you can {ref}`add addresses <manage-addresses-in-set>`.
+
+(manage-addresses-in-set)=
+## Add or remove addresses
+
+Adding addresses is pretty straightforward:
+
+```bash
+incus network address-set add <name> <address1> <address2>
+```
+
+There is no restriction about the kind of address you are appending in your set, a mix of IPv4, IPv6 and CIDR can be used without disruption.
+
+To remove addresses, the same `remove` command can be used instead.
+
+```bash
+incus network address-set remove <name> <address1> <address2>
+```
+
+## Use of address sets in ACL rules
+
+In order to use an address set in an {ref}`ACL <network-acls-address-sets>`, we need to prepend `name` with `$` (you need to escape the dollar in command line). Then we can refer the address set in `source` or `destination` fields of an ACL rule.

doc/networks.md

@@ -8,6 +8,7 @@
 Create and configure a network </howto/network_create>
 Configure a network </howto/network_configure>
 Configure network ACLs </howto/network_acls>
+Configure network address sets </howto/network_address_sets>
 Configure network forwards </howto/network_forwards>
 Configure network integrations </howto/network_integrations>
 Configure network zones </howto/network_zones>