How to use network address sets¶
Note
Network address sets are working with ACLs and work only with OVN network or with bridged networks using nftables only.
Network address sets are a list of either IPv4, IPv6 addresses with or without CIDR suffix. They can be used in source or destination fields of ACLs.
Address set properties¶
Address sets have the following properties:
Property |
Type |
Required |
Description |
|---|---|---|---|
|
string |
yes |
Name of the network address set |
|
string |
no |
Description of the network address set |
|
string list |
no |
Ingress traffic rules |
Address set configuration options¶
The following configuration options are available for all network address sets:
Creating an address set¶
Use the following command to create an address set.
incus network address-set create <name> [configuration_options...]
This will create an address set without any addresses, after this you can add addresses.
Add or remove addresses¶
Adding addresses is pretty straightforward:
incus network address-set add <name> <address1> <address2>
There is no restriction about the kind of address you are appending in your set, a mix of IPv4, IPv6 and CIDR can be used without disruption.
To remove addresses, the same remove command can be used instead.
incus network address-set remove <name> <address1> <address2>
Use of address sets in ACL rules¶
In order to use an address set in an ACL, we need to prepend name with $ (you need to escape the dollar in command line). Then we can refer the address set in source or destination fields of an ACL rule.