Your IP : 216.73.217.13
<!doctype html>
<html class="no-js" lang="en" data-content_root="../../">
<head><meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1">
<meta name="color-scheme" content="light dark"><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta property="og:title" content="How to configure network ACLs" />
<meta property="og:type" content="website" />
<meta property="og:url" content="/howto/network_acls/" />
<meta property="og:site_name" content="LXD documentation" />
<meta property="og:description" content="Network ACLs define rules for controlling traffic: Between instances connected to the same network, To and from other networks. Network ACLs can be assigned directly to the NIC of an instance, or t..." />
<meta property="og:image" content="https://documentation.ubuntu.com/lxd/latest/_static/lxd_tag.png" />
<meta property="og:image:alt" content="LXD documentation" />
<meta name="description" content="Network ACLs define rules for controlling traffic: Between instances connected to the same network, To and from other networks. Network ACLs can be assigned directly to the NIC of an instance, or t..." />
<meta property="article:modified_time" content="2026-02-13T13:16:52+00:00" /><link rel="index" title="Index" href="../../genindex/"><link rel="search" title="Search" href="../../search/"><link rel="next" title="How to configure network forwards" href="../network_forwards/"><link rel="prev" title="How to configure LXD as a BGP server" href="../network_bgp/">
<link rel="canonical" href="/howto/network_acls/">
<link rel="shortcut icon" href="../../_static/favicon.ico"><!-- Generated with Sphinx 7.4.7 and Furo 2025.12.19 -->
<title>How to configure network ACLs - LXD documentation</title>
<link rel="stylesheet" type="text/css" href="../../_static/pygments.css?v=d111a655" />
<link rel="stylesheet" type="text/css" href="../../_static/styles/furo.css?v=7bdb33bb" />
<link rel="stylesheet" type="text/css" href="../../_static/copybutton.css?v=76b2166b" />
<link rel="stylesheet" type="text/css" href="../../_static/config-options.css" />
<link rel="stylesheet" type="text/css" href="../../_static/related-links.css" />
<link rel="stylesheet" type="text/css" href="../../_static/terminal.css" />
<link rel="stylesheet" type="text/css" href="../../_static/youtube.css" />
<link rel="stylesheet" type="text/css" href="../../_static/sphinx-design.min.css?v=95c83b7e" />
<link rel="stylesheet" type="text/css" href="../../_static/tabs.css?v=a5c4661c" />
<link rel="stylesheet" type="text/css" href="../../_static/styles/furo-extensions.css?v=8dab3a3b" />
<link rel="stylesheet" type="text/css" href="../../_static/lxd_custom.css?v=bfbf4da2" />
<link rel="stylesheet" type="text/css" href="../../_static/cookie-banner.css?v=b74831ab" />
<link rel="stylesheet" type="text/css" href="../../_static/custom.css?v=e189117a" />
<link rel="stylesheet" type="text/css" href="../../_static/header.css?v=a8078839" />
<link rel="stylesheet" type="text/css" href="../../_static/github_issue_links.css?v=3d761185" />
<link rel="stylesheet" type="text/css" href="../../_static/furo_colors.css?v=825fec6f" />
</head>
<body>
<header id="header" class="p-navigation">
<!-- Google Tag Manager -->
<script>
(function(w, d, s, l, i) {
w[l] = w[l] || [];
w[l].push({
'gtm.start': new Date().getTime(),
event: 'gtm.js'
});
var f = d.getElementsByTagName(s)[0];
var j = d.createElement(s);
var dl = '';
if (l != 'dataLayer') {
dl = '&l=' + l;
}
j.async = true;
j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl;
f.parentNode.insertBefore(j, f);
})(window, document, 'script', 'dataLayer', 'GTM-KNX3CJC');
</script>
<div class="p-navigation__nav" role="menubar">
<ul class="p-navigation__links" role="menu">
<li>
<a class="p-logo" href="https://canonical.com/lxd" aria-current="page">
<img src="../../_static/lxd_tag.png" alt="Logo" class="p-logo-image">
<div class="p-logo-text p-heading--4">LXD
</div>
</a>
</li>
<li class="nav-ubuntu-com">
<a href="https://canonical.com/lxd" class="p-navigation__link">canonical.com/lxd</a>
</li>
<li class="nav-dropdown">
<a href="#" class="p-navigation__link nav-more-links"
id="more-resources-toggle"
aria-haspopup="true"
aria-expanded="false">
More resources
</a>
<ul class="more-links-dropdown" aria-labelledby="more-resources-toggle">
<li>
<a href="https://discourse.ubuntu.com/c/lxd/" class="p-navigation__sub-link p-dropdown__link">Discourse</a>
</li>
<li>
<a href="https://matrix.to/#/#documentation:ubuntu.com" class="p-navigation__sub-link p-dropdown__link">Matrix</a>
</li>
<li>
<a href="https://github.com/canonical/lxd" class="p-navigation__sub-link p-dropdown__link">GitHub</a>
</li>
</ul>
</li>
</ul>
</div>
</header>
<script>
document.body.dataset.theme = localStorage.getItem("theme") || "auto";
</script>
<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
<symbol id="svg-toc" viewBox="0 0 24 24">
<title>Contents</title>
<svg stroke="currentColor" fill="currentColor" stroke-width="0" viewBox="0 0 1024 1024">
<path d="M408 442h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8zm-8 204c0 4.4 3.6 8 8 8h480c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8H408c-4.4 0-8 3.6-8 8v56zm504-486H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 632H120c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h784c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM115.4 518.9L271.7 642c5.8 4.6 14.4.5 14.4-6.9V388.9c0-7.4-8.5-11.5-14.4-6.9L115.4 505.1a8.74 8.74 0 0 0 0 13.8z"/>
</svg>
</symbol>
<symbol id="svg-menu" viewBox="0 0 24 24">
<title>Menu</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-menu">
<line x1="3" y1="12" x2="21" y2="12"></line>
<line x1="3" y1="6" x2="21" y2="6"></line>
<line x1="3" y1="18" x2="21" y2="18"></line>
</svg>
</symbol>
<symbol id="svg-arrow-right" viewBox="0 0 24 24">
<title>Expand</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="feather-chevron-right">
<polyline points="9 18 15 12 9 6"></polyline>
</svg>
</symbol>
<symbol id="svg-sun" viewBox="0 0 24 24">
<title>Light mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="feather-sun">
<circle cx="12" cy="12" r="5"></circle>
<line x1="12" y1="1" x2="12" y2="3"></line>
<line x1="12" y1="21" x2="12" y2="23"></line>
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
<line x1="1" y1="12" x2="3" y2="12"></line>
<line x1="21" y1="12" x2="23" y2="12"></line>
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
</svg>
</symbol>
<symbol id="svg-moon" viewBox="0 0 24 24">
<title>Dark mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-moon">
<path stroke="none" d="M0 0h24v24H0z" fill="none" />
<path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z" />
</svg>
</symbol>
<symbol id="svg-sun-with-moon" viewBox="0 0 24 24">
<title>Auto light/dark, in light mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
class="icon-custom-derived-from-feather-sun-and-tabler-moon">
<path style="opacity: 50%" d="M 5.411 14.504 C 5.471 14.504 5.532 14.504 5.591 14.504 C 3.639 16.319 4.383 19.569 6.931 20.352 C 7.693 20.586 8.512 20.551 9.25 20.252 C 8.023 23.207 4.056 23.725 2.11 21.184 C 0.166 18.642 1.702 14.949 4.874 14.536 C 5.051 14.512 5.231 14.5 5.411 14.5 L 5.411 14.504 Z"/>
<line x1="14.5" y1="3.25" x2="14.5" y2="1.25"/>
<line x1="14.5" y1="15.85" x2="14.5" y2="17.85"/>
<line x1="10.044" y1="5.094" x2="8.63" y2="3.68"/>
<line x1="19" y1="14.05" x2="20.414" y2="15.464"/>
<line x1="8.2" y1="9.55" x2="6.2" y2="9.55"/>
<line x1="20.8" y1="9.55" x2="22.8" y2="9.55"/>
<line x1="10.044" y1="14.006" x2="8.63" y2="15.42"/>
<line x1="19" y1="5.05" x2="20.414" y2="3.636"/>
<circle cx="14.5" cy="9.55" r="3.6"/>
</svg>
</symbol>
<symbol id="svg-moon-with-sun" viewBox="0 0 24 24">
<title>Auto light/dark, in dark mode</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round"
class="icon-custom-derived-from-feather-sun-and-tabler-moon">
<path d="M 8.282 7.007 C 8.385 7.007 8.494 7.007 8.595 7.007 C 5.18 10.184 6.481 15.869 10.942 17.24 C 12.275 17.648 13.706 17.589 15 17.066 C 12.851 22.236 5.91 23.143 2.505 18.696 C -0.897 14.249 1.791 7.786 7.342 7.063 C 7.652 7.021 7.965 7 8.282 7 L 8.282 7.007 Z"/>
<line style="opacity: 50%" x1="18" y1="3.705" x2="18" y2="2.5"/>
<line style="opacity: 50%" x1="18" y1="11.295" x2="18" y2="12.5"/>
<line style="opacity: 50%" x1="15.316" y1="4.816" x2="14.464" y2="3.964"/>
<line style="opacity: 50%" x1="20.711" y1="10.212" x2="21.563" y2="11.063"/>
<line style="opacity: 50%" x1="14.205" y1="7.5" x2="13.001" y2="7.5"/>
<line style="opacity: 50%" x1="21.795" y1="7.5" x2="23" y2="7.5"/>
<line style="opacity: 50%" x1="15.316" y1="10.184" x2="14.464" y2="11.036"/>
<line style="opacity: 50%" x1="20.711" y1="4.789" x2="21.563" y2="3.937"/>
<circle style="opacity: 50%" cx="18" cy="7.5" r="2.169"/>
</svg>
</symbol>
<symbol id="svg-pencil" viewBox="0 0 24 24">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-pencil-code">
<path d="M4 20h4l10.5 -10.5a2.828 2.828 0 1 0 -4 -4l-10.5 10.5v4" />
<path d="M13.5 6.5l4 4" />
<path d="M20 21l2 -2l-2 -2" />
<path d="M17 17l-2 2l2 2" />
</svg>
</symbol>
<symbol id="svg-eye" viewBox="0 0 24 24">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor"
stroke-width="1" stroke-linecap="round" stroke-linejoin="round" class="icon-tabler-eye-code">
<path stroke="none" d="M0 0h24v24H0z" fill="none" />
<path d="M10 12a2 2 0 1 0 4 0a2 2 0 0 0 -4 0" />
<path
d="M11.11 17.958c-3.209 -.307 -5.91 -2.293 -8.11 -5.958c2.4 -4 5.4 -6 9 -6c3.6 0 6.6 2 9 6c-.21 .352 -.427 .688 -.647 1.008" />
<path d="M20 21l2 -2l-2 -2" />
<path d="M17 17l-2 2l2 2" />
</svg>
</symbol>
</svg>
<input type="checkbox" class="sidebar-toggle" name="__navigation" id="__navigation" aria-label="Toggle site navigation sidebar">
<input type="checkbox" class="sidebar-toggle" name="__toc" id="__toc" aria-label="Toggle table of contents sidebar">
<label class="overlay sidebar-overlay" for="__navigation"></label>
<label class="overlay toc-overlay" for="__toc"></label>
<a class="skip-to-content muted-link" href="#furo-main-content">Skip to content</a>
<div class="page">
<header class="mobile-header">
<div class="header-left">
<label class="nav-overlay-icon" for="__navigation">
<span class="icon"><svg><use href="#svg-menu"></use></svg></span>
</label>
</div>
<div class="header-center">
<a href="../../"><div class="brand">LXD documentation</div></a>
</div>
<div class="header-right">
<div class="theme-toggle-container theme-toggle-header">
<button class="theme-toggle" aria-label="Toggle Light / Dark / Auto color theme">
<svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
<svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
<svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
</button>
</div>
<label class="toc-overlay-icon toc-header-icon" for="__toc">
<span class="icon"><svg><use href="#svg-toc"></use></svg></span>
</label>
</div>
</header>
<aside class="sidebar-drawer">
<div class="sidebar-container">
<div class="sidebar-sticky"><a class="sidebar-brand" href="../../">
<span class="sidebar-brand-text">LXD documentation</span>
</a><form class="sidebar-search-container" method="get" action="../../search/" role="search">
<input class="sidebar-search" placeholder="Search" name="q" aria-label="Search">
<input type="submit" value="Go">
<input type="hidden" name="check_keywords" value="yes">
<input type="hidden" name="area" value="default">
</form>
<div id="searchbox"></div><div class="sidebar-scroll"><div class="sidebar-tree">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="../../">LXD</a></li>
<li class="toctree-l1"><a class="reference internal" href="../../tutorial/first_steps/">Tutorial</a></li>
<li class="toctree-l1 current has-children"><a class="reference internal" href="../">How-to guides</a><input aria-label="Toggle navigation of How-to guides" checked="" class="toctree-checkbox" id="toctree-checkbox-1" name="toctree-checkbox-1" role="switch" type="checkbox"/><label for="toctree-checkbox-1"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul class="current">
<li class="toctree-l2 has-children"><a class="reference internal" href="../../getting_started/">Getting started</a><input aria-label="Toggle navigation of Getting started" class="toctree-checkbox" id="toctree-checkbox-2" name="toctree-checkbox-2" role="switch" type="checkbox"/><label for="toctree-checkbox-2"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../installing/">Install LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../initialize/">Initialize LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../access_ui/">Access the UI</a></li>
<li class="toctree-l3"><a class="reference internal" href="../access_documentation/">Access documentation locally</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../operation/">LXD server and client</a><input aria-label="Toggle navigation of LXD server and client" class="toctree-checkbox" id="toctree-checkbox-3" name="toctree-checkbox-3" role="switch" type="checkbox"/><label for="toctree-checkbox-3"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../server_expose/">Expose LXD to the network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../server_configure/">Configure the LXD server</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../oidc/">Configure single sign-on with OIDC</a><input aria-label="Toggle navigation of Configure single sign-on with OIDC" class="toctree-checkbox" id="toctree-checkbox-4" name="toctree-checkbox-4" role="switch" type="checkbox"/><label for="toctree-checkbox-4"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../oidc_auth0/">How to configure Auth0</a></li>
<li class="toctree-l4"><a class="reference internal" href="../oidc_ory/">How to configure Ory Hydra</a></li>
<li class="toctree-l4"><a class="reference internal" href="../oidc_keycloak/">How to configure Keycloak</a></li>
<li class="toctree-l4"><a class="reference internal" href="../oidc_entra_id/">How to configure Entra ID</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../../remotes/">Add remote servers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../lxc_alias/">Add command aliases</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../instances/">Instances</a><input aria-label="Toggle navigation of Instances" class="toctree-checkbox" id="toctree-checkbox-5" name="toctree-checkbox-5" role="switch" type="checkbox"/><label for="toctree-checkbox-5"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../instances_create/">Create instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_configure/">Configure instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_manage/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../profiles/">Use profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_troubleshoot/">Troubleshoot errors</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_ubuntu_pro_attach/">Auto attach Ubuntu Pro</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_access_files/">Access files</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_console/">Access the console</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../instance-exec/">Run commands</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../cloud-init/">Use cloud-init</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_routed_nic_vm/">Add a routed NIC to a VM</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_backup/">Back up instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_migrate/">Migrate instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../import_machines_to_instances/">Import existing machines</a></li>
<li class="toctree-l3"><a class="reference internal" href="../container_gpu_passthrough_with_docker/">Pass NVIDIA GPUs</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../images/">Images</a><input aria-label="Toggle navigation of Images" class="toctree-checkbox" id="toctree-checkbox-6" name="toctree-checkbox-6" role="switch" type="checkbox"/><label for="toctree-checkbox-6"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../images_remote/">Use remote images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_manage/">Manage images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_profiles/">Associate profiles</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_copy/">Copy and import images</a></li>
<li class="toctree-l3"><a class="reference internal" href="../images_create/">Create images</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../projects/">Projects</a><input aria-label="Toggle navigation of Projects" class="toctree-checkbox" id="toctree-checkbox-7" name="toctree-checkbox-7" role="switch" type="checkbox"/><label for="toctree-checkbox-7"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../projects_create/">Create and configure</a></li>
<li class="toctree-l3"><a class="reference internal" href="../projects_work/">Work with projects</a></li>
<li class="toctree-l3"><a class="reference internal" href="../projects_confine/">Confine users to projects</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../storage/">Storage</a><input aria-label="Toggle navigation of Storage" class="toctree-checkbox" id="toctree-checkbox-8" name="toctree-checkbox-8" role="switch" type="checkbox"/><label for="toctree-checkbox-8"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../storage_pools/">Manage pools</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_volumes/">Manage volumes</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_buckets/">Manage buckets</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_create_instance/">Create an instance in a pool</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_backup_volume/">Back up a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_move_volume/">Move or copy a volume</a></li>
<li class="toctree-l3"><a class="reference internal" href="../storage_csi/">Use the LXD CSI driver with Kubernetes</a></li>
</ul>
</li>
<li class="toctree-l2 current has-children"><a class="reference internal" href="../../networks/">Networking</a><input aria-label="Toggle navigation of Networking" checked="" class="toctree-checkbox" id="toctree-checkbox-9" name="toctree-checkbox-9" role="switch" type="checkbox"/><label for="toctree-checkbox-9"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul class="current">
<li class="toctree-l3"><a class="reference internal" href="../network_create/">Create a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_configure/">Configure a network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_bgp/">Configure as BGP server</a></li>
<li class="toctree-l3 current current-page"><a class="current reference internal" href="#">Configure network ACLs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_forwards/">Configure forwards</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_zones/">Configure network zones</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_bridge_resolved/">Integrate with resolved</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_ovn_setup/">Set up OVN</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_load_balancers/">Configure load balancers</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_ovn_peers/">Configure peer routing</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_ipam/">Display IPAM information</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../clustering/">Clustering</a><input aria-label="Toggle navigation of Clustering" class="toctree-checkbox" id="toctree-checkbox-10" name="toctree-checkbox-10" role="switch" type="checkbox"/><label for="toctree-checkbox-10"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../cluster_form/">Form a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_manage/">Manage a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_config_networks/">Configure networks</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_config_storage/">Configure storage</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_manage_instance/">Manage instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_groups/">Set up cluster groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_placement_groups/">Use placement groups</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_recover/">Recover a cluster</a></li>
<li class="toctree-l3"><a class="reference internal" href="../cluster_vip/">Set up a highly available virtual IP</a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../production-setup/">Production setup</a><input aria-label="Toggle navigation of Production setup" class="toctree-checkbox" id="toctree-checkbox-11" name="toctree-checkbox-11" role="switch" type="checkbox"/><label for="toctree-checkbox-11"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../benchmark_performance/">Benchmark performance</a></li>
<li class="toctree-l3"><a class="reference internal" href="../network_increase_bandwidth/">Increase bandwidth</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../metrics/">Monitor metrics</a></li>
<li class="toctree-l3"><a class="reference internal" href="../logs_loki/">Send logs to Loki</a></li>
<li class="toctree-l3"><a class="reference internal" href="../grafana/">Set up Grafana</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../backup/">Back up a server</a></li>
<li class="toctree-l3"><a class="reference internal" href="../disaster_recovery/">Recover instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../disaster_recovery_replication/">Disaster recovery with storage replication</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../snap/">Manage the snap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../security_harden/">Harden security</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../troubleshoot/">Troubleshooting</a><input aria-label="Toggle navigation of Troubleshooting" class="toctree-checkbox" id="toctree-checkbox-12" name="toctree-checkbox-12" role="switch" type="checkbox"/><label for="toctree-checkbox-12"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../network_bridge_firewalld/">Configure your firewall</a></li>
<li class="toctree-l3"><a class="reference internal" href="../instances_troubleshoot/">Troubleshoot instances</a></li>
<li class="toctree-l3"><a class="reference internal" href="../dqlite_troubleshoot/">Troubleshoot Dqlite</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../debugging/">Debug LXD</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../faq/">Frequently asked</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../support/">Get support</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../contributing/">Contribute to LXD</a></li>
<li class="toctree-l2"><a class="reference internal" href="../auth_bearer/">How to authenticate to the LXD API using bearer tokens</a></li>
<li class="toctree-l2"><a class="reference internal" href="../devlxd_authenticate/">How to authenticate to the DevLXD API</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../explanation/">Explanation</a><input aria-label="Toggle navigation of Explanation" class="toctree-checkbox" id="toctree-checkbox-13" name="toctree-checkbox-13" role="switch" type="checkbox"/><label for="toctree-checkbox-13"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/lxd_lxc/"><code class="docutils literal notranslate"><span class="pre">lxd</span></code> and <code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/instances/">Containers and VMs</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../image-handling/">Local and remote images</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/storage/">Storage pools, volumes, and buckets</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/networks/">Networking setups</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../database/">The LXD Dqlite database</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/lxc_show_info/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code> <code class="docutils literal notranslate"><span class="pre">show</span></code> and <code class="docutils literal notranslate"><span class="pre">info</span></code></a></li>
<li class="toctree-l2"><a class="reference internal" href="../../authentication/">Remote API authentication</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/authorization/">Remote API authorization</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/projects/">Instances grouping with projects</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/clusters/">Clusters</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/performance_tuning/">Performance tuning</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/security/">Security</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/bpf/">Privilege delegation using BPF Token</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../explanation/csi/">The LXD CSI driver</a></li>
</ul>
</li>
<li class="toctree-l1 has-children"><a class="reference internal" href="../../reference/">Reference</a><input aria-label="Toggle navigation of Reference" class="toctree-checkbox" id="toctree-checkbox-14" name="toctree-checkbox-14" role="switch" type="checkbox"/><label for="toctree-checkbox-14"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l2"><a class="reference internal" href="../../requirements/">Requirements</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../architectures/">Architectures</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/release-notes/">Release notes</a><input aria-label="Toggle navigation of Release notes" class="toctree-checkbox" id="toctree-checkbox-15" name="toctree-checkbox-15" role="switch" type="checkbox"/><label for="toctree-checkbox-15"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/release-notes/release-notes-6.7/">LXD 6.7</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/release-notes/release-notes-6.6/">LXD 6.6</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/releases-snap/">Releases and snap</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/remote_image_servers/">Remote image servers</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/image_format/">Image format</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../guest-os-compatibility/">Guest OS compatibility</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../container-environment/">Container environment</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../config-options/">Configuration option index</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../server/">Server configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../explanation/instance_config/">Instance configuration</a><input aria-label="Toggle navigation of Instance configuration" class="toctree-checkbox" id="toctree-checkbox-16" name="toctree-checkbox-16" role="switch" type="checkbox"/><label for="toctree-checkbox-16"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_properties/">Instance properties</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_options/">Instance options</a></li>
<li class="toctree-l3 has-children"><a class="reference internal" href="../../reference/devices/">Devices</a><input aria-label="Toggle navigation of Devices" class="toctree-checkbox" id="toctree-checkbox-17" name="toctree-checkbox-17" role="switch" type="checkbox"/><label for="toctree-checkbox-17"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l4"><a class="reference internal" href="../../reference/standard_devices/">Standard devices</a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_none/">Type: <code class="docutils literal notranslate"><span class="pre">none</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_nic/">Type: <code class="docutils literal notranslate"><span class="pre">nic</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_disk/">Type: <code class="docutils literal notranslate"><span class="pre">disk</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_char/">Type: <code class="docutils literal notranslate"><span class="pre">unix-char</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_block/">Type: <code class="docutils literal notranslate"><span class="pre">unix-block</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_usb/">Type: <code class="docutils literal notranslate"><span class="pre">usb</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_gpu/">Type: <code class="docutils literal notranslate"><span class="pre">gpu</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_infiniband/">Type: <code class="docutils literal notranslate"><span class="pre">infiniband</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_proxy/">Type: <code class="docutils literal notranslate"><span class="pre">proxy</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_unix_hotplug/">Type: <code class="docutils literal notranslate"><span class="pre">unix-hotplug</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_tpm/">Type: <code class="docutils literal notranslate"><span class="pre">tpm</span></code></a></li>
<li class="toctree-l4"><a class="reference internal" href="../../reference/devices_pci/">Type: <code class="docutils literal notranslate"><span class="pre">pci</span></code></a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/instance_units/">Units for storage and network limits</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/preseed_yaml_fields/">Preseed YAML file fields</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/projects/">Project configuration</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/storage_drivers/">Storage drivers</a><input aria-label="Toggle navigation of Storage drivers" class="toctree-checkbox" id="toctree-checkbox-18" name="toctree-checkbox-18" role="switch" type="checkbox"/><label for="toctree-checkbox-18"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_dir/">Directory - <code class="docutils literal notranslate"><span class="pre">dir</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_btrfs/">Btrfs - <code class="docutils literal notranslate"><span class="pre">btrfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_lvm/">LVM - <code class="docutils literal notranslate"><span class="pre">lvm</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_zfs/">ZFS - <code class="docutils literal notranslate"><span class="pre">zfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_ceph/">Ceph RBD - <code class="docutils literal notranslate"><span class="pre">ceph</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_powerflex/">Dell PowerFlex - <code class="docutils literal notranslate"><span class="pre">powerflex</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_pure/">Pure Storage - <code class="docutils literal notranslate"><span class="pre">pure</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_alletra/">HPE Alletra - <code class="docutils literal notranslate"><span class="pre">alletra</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephfs/">CephFS - <code class="docutils literal notranslate"><span class="pre">cephfs</span></code></a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/storage_cephobject/">Ceph Object - <code class="docutils literal notranslate"><span class="pre">cephobject</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/networks/">Networks</a><input aria-label="Toggle navigation of Networks" class="toctree-checkbox" id="toctree-checkbox-19" name="toctree-checkbox-19" role="switch" type="checkbox"/><label for="toctree-checkbox-19"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_bridge/">Bridge network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_ovn/">OVN network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_macvlan/">Macvlan network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_physical/">Physical network</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/network_sriov/">SR-IOV network</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/cluster_member_config/">Cluster configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/placement_groups/">Placement group configuration</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/server_settings/">Production server settings</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/provided_metrics/">Provided metrics</a></li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/permissions/">Permissions</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../restapi_landing/">REST API</a><input aria-label="Toggle navigation of REST API" class="toctree-checkbox" id="toctree-checkbox-20" name="toctree-checkbox-20" role="switch" type="checkbox"/><label for="toctree-checkbox-20"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../rest-api/">Main API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api/">Main API specification</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../api-extensions/">Main API extensions</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../events/">Events API documentation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../dev-lxd/">Instance API</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="../../reference/driver_csi/">LXD CSI driver reference</a></li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../reference/manpages/">Man pages</a><input aria-label="Toggle navigation of Man pages" class="toctree-checkbox" id="toctree-checkbox-21" name="toctree-checkbox-21" role="switch" type="checkbox"/><label for="toctree-checkbox-21"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../reference/manpages/lxc/"><code class="docutils literal notranslate"><span class="pre">lxc</span></code></a></li>
</ul>
</li>
<li class="toctree-l2 has-children"><a class="reference internal" href="../../internals/">Internals</a><input aria-label="Toggle navigation of Internals" class="toctree-checkbox" id="toctree-checkbox-22" name="toctree-checkbox-22" role="switch" type="checkbox"/><label for="toctree-checkbox-22"><span class="icon"><svg><use href="#svg-arrow-right"></use></svg></span></label><ul>
<li class="toctree-l3"><a class="reference internal" href="../../environment/">Environment variables</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/uefi_variables/">UEFI variables for VMs</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../daemon-behavior/">Daemon behavior</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../syscall-interception/">System call interception</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../userns-idmap/">User namespace setup</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/ovn-internals/">OVN implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/vm_live_migration_internals/">VM live migration implementation</a></li>
<li class="toctree-l3"><a class="reference internal" href="../../reference/dqlite-internals/">Dqlite</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference external" href="https://github.com/canonical/lxd">Project repository</a></li>
<li class="toctree-l2"><a class="reference external" href="https://images.lxd.canonical.com">Image server</a></li>
</ul>
</li>
</ul>
</div>
</div>
</div>
</div>
</aside>
<div class="main">
<div class="content">
<div class="article-container">
<a href="#" class="back-to-top muted-link">
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
<path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8v12z"></path>
</svg>
<span>Back to top</span>
</a>
<div class="content-icon-container">
<div class="edit-this-page">
<a class="muted-link" href="https://github.com/canonical/lxd/edit/main/doc/howto/network_acls.md" title="Contribute to this page">
<svg><use href="#svg-pencil"></use></svg>
<span class="visually-hidden">Contribute to this page</span>
</a>
</div><div class="theme-toggle-container theme-toggle-content">
<button class="theme-toggle" aria-label="Toggle Light / Dark / Auto color theme">
<svg class="theme-icon-when-auto-light"><use href="#svg-sun-with-moon"></use></svg>
<svg class="theme-icon-when-auto-dark"><use href="#svg-moon-with-sun"></use></svg>
<svg class="theme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg class="theme-icon-when-light"><use href="#svg-sun"></use></svg>
</button>
</div>
<label class="toc-overlay-icon toc-content-icon" for="__toc">
<span class="icon"><svg><use href="#svg-toc"></use></svg></span>
</label>
</div>
<article role="main" id="furo-main-content">
<section id="how-to-configure-network-acls">
<span id="network-acls"></span><h1>How to configure network ACLs<a class="headerlink" href="#how-to-configure-network-acls" title="Link to this heading">¶</a></h1>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>Network ACLs are available for the <a class="reference internal" href="../../reference/devices_nic/#nic-ovn"><span class="std std-ref">OVN NIC type</span></a>, the <a class="reference internal" href="../../reference/network_ovn/#network-ovn"><span class="std std-ref">OVN network</span></a> and the <a class="reference internal" href="../../reference/network_bridge/#network-bridge"><span class="std std-ref">Bridge network</span></a> (with some exceptions; see <a class="reference internal" href="#network-acls-bridge-limitations"><span class="std std-ref">Bridge limitations</span></a>).</p>
</div>
<p class="youtube_link">
<a href="https://www.youtube.com/watch?v=mu34G0cX6Io" target="_blank">
<span title="LXD network ACLs" class="play_icon">▶</span>
<span title="LXD network ACLs">Watch on YouTube</span>
</a>
</p>
<p>Network <abbr title="Access Control Lists">ACLs</abbr> define rules for controlling traffic:</p>
<ul class="simple">
<li><p>Between instances connected to the same network</p></li>
<li><p>To and from other networks</p></li>
</ul>
<p>Network ACLs can be assigned directly to the <abbr title="Network Interface Controller">NIC</abbr> of an instance, or to a network. When assigned to a network, the ACL applies indirectly to all NICs connected to that network.</p>
<p>When an ACL is assigned to multiple instance NICs, either directly or indirectly, those NICs form a logical port group. You can use the name of that ACL to refer to that group in the traffic rules of other ACLs. For more information, see: <a class="reference internal" href="#network-acls-selectors-subject-name"><span class="std std-ref">Subject name selectors (ACL groups)</span></a>.</p>
<section id="list-acls">
<span id="network-acls-list"></span><h2>List ACLs<a class="headerlink" href="#list-acls" title="Link to this heading">¶</a></h2>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-0-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-0-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-0-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-0-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-0-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-0-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-0-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-0-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To list all ACLs, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>list
</pre></div>
</div>
</div><div aria-labelledby="tab-0-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-0-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>To list all ACLs, query the <a class="reference external" href="/api/#/network-acls/network_acls_get"><code class="docutils literal notranslate"><span class="pre">GET</span> <span class="pre">/1.0/network-acls</span></code></a> endpoint:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>GET<span class="w"> </span>/1.0/network-acls
</pre></div>
</div>
<p>You can also use <a class="reference internal" href="../../rest-api/#rest-api-recursion"><span class="std std-ref">recursion</span></a> to list the ACLs with a higher level of detail:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>GET<span class="w"> </span>/1.0/network-acls?recursion<span class="o">=</span><span class="m">1</span>
</pre></div>
</div>
</div><div aria-labelledby="tab-0-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-0-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>View ACL information from the <span class="guilabel">Networking</span> section of the main navigation.</p>
</div></div>
</section>
<section id="show-an-acl">
<span id="network-acls-show"></span><h2>Show an ACL<a class="headerlink" href="#show-an-acl" title="Link to this heading">¶</a></h2>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-1-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-1-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-1-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-1-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-1-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-1-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-1-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-1-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To show details about a specific ACL, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>show<span class="w"> </span><ACL-name>
</pre></div>
</div>
<p>Example:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>show<span class="w"> </span>my-acl
</pre></div>
</div>
</div><div aria-labelledby="tab-1-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-1-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>For details about a specific ACL, query the <a class="reference external" href="/api/#/network-acls/network_acl_get"><code class="docutils literal notranslate"><span class="pre">GET</span> <span class="pre">/1.0/network-acls/{ACL-name}</span></code></a> endpoint`:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>GET<span class="w"> </span>/1.0/network-acls/<span class="o">{</span>ACL-name<span class="o">}</span>
</pre></div>
</div>
<p>Example:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>GET<span class="w"> </span>/1.0/network-acls/my-acl
</pre></div>
</div>
</div><div aria-labelledby="tab-1-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-1-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>To show the detail page of an ACL, select the desired ACL from the <span class="guilabel">ACLs</span> page.</p>
<figure class="align-default">
<a class="reference internal image-reference" href="../../_images/network_ACLs.png"><img alt="A Network ACL in LXD" src="../../_images/network_ACLs.png" style="width: 80%;" />
</a>
</figure>
</div></div>
</section>
<section id="create-an-acl">
<span id="network-acls-create"></span><h2>Create an ACL<a class="headerlink" href="#create-an-acl" title="Link to this heading">¶</a></h2>
<section id="name-requirements">
<span id="network-acls-name-requirements"></span><h3>Name requirements<a class="headerlink" href="#name-requirements" title="Link to this heading">¶</a></h3>
<p>Network ACL names must meet the following requirements:</p>
<ul class="simple">
<li><p>Must be between 1 and 63 characters long.</p></li>
<li><p>Can contain only ASCII letters (a–z, A–Z), numbers (0–9), and dashes (-).</p></li>
<li><p>Cannot begin with a digit or a dash.</p></li>
<li><p>Cannot end with a dash.</p></li>
</ul>
</section>
<section id="instructions">
<h3>Instructions<a class="headerlink" href="#instructions" title="Link to this heading">¶</a></h3>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-2-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-2-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-2-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-2-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-2-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-2-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-2-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-2-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To create an ACL, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>create<span class="w"> </span><ACL-name><span class="w"> </span><span class="o">[</span>user.KEY<span class="o">=</span>value<span class="w"> </span>...<span class="o">]</span>
</pre></div>
</div>
<ul class="simple">
<li><p>You must provide an ACL name that meets the <a class="reference internal" href="#network-acls-name-requirements"><span class="std std-ref">Name requirements</span></a>.</p></li>
<li><p>You can optionally provide one or more custom <code class="docutils literal notranslate"><span class="pre">user</span></code> keys to store metadata or other information.</p></li>
</ul>
<p>ACLs have no rules upon creation via command line, so as a next step, <a class="reference internal" href="#network-acls-rules"><span class="std std-ref">add rules</span></a> to the ACL. You can also <a class="reference internal" href="#network-acls-edit"><span class="std std-ref">edit the ACL configuration</span></a>, or <a class="reference internal" href="#network-acls-assign"><span class="std std-ref">assign the ACL to a network or NIC</span></a>.</p>
<p>Another way to create ACLs from the command line is to provide a YAML configuration file:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>create<span class="w"> </span><ACL-name><span class="w"> </span><<span class="w"> </span><filename.yaml>
</pre></div>
</div>
<p>This file can include any other <a class="reference internal" href="#network-acls-properties"><span class="std std-ref">ACL properties</span></a>, including the <code class="docutils literal notranslate"><span class="pre">egress</span></code> and <code class="docutils literal notranslate"><span class="pre">ingress</span></code> properties for defining <a class="reference internal" href="#network-acls-rules"><span class="std std-ref">ACL rules</span></a>. See the second example in the set below.</p>
<p class="rubric" id="examples">Examples</p>
<p>Create an ACL with the name <code class="docutils literal notranslate"><span class="pre">my-acl</span></code> and an optional custom user key:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>create<span class="w"> </span>my-acl<span class="w"> </span>user.my-key<span class="o">=</span>my-value
</pre></div>
</div>
<p>Create an ACL using a YAML configuration file:</p>
<p>First, create a file named <code class="docutils literal notranslate"><span class="pre">config.yaml</span></code> with the following content:</p>
<div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Allow web traffic from internal network</span>
<span class="nt">config</span><span class="p">:</span>
<span class="w"> </span><span class="nt">user.owner</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">devops</span>
<span class="nt">ingress</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">action</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">allow</span>
<span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Allow HTTP/HTTPS from internal</span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tcp</span>
<span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="s">"@internal"</span>
<span class="w"> </span><span class="nt">destination_port</span><span class="p">:</span><span class="w"> </span><span class="s">"80,443"</span>
<span class="w"> </span><span class="nt">state</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">enabled</span>
</pre></div>
</div>
<p>Note that the custom user keys are stored under the <code class="docutils literal notranslate"><span class="pre">config</span></code> property.</p>
<p>The following command creates an ACL from that file’s configuration:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>create<span class="w"> </span>my-acl<span class="w"> </span><<span class="w"> </span>config.yaml
</pre></div>
</div>
</div><div aria-labelledby="tab-2-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-2-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>To create an ACL, query the <a class="reference external" href="/api/#/network-acls/network_acls_post"><code class="docutils literal notranslate"><span class="pre">POST</span> <span class="pre">/1.0/network-acls</span></code></a> endpoint:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>POST<span class="w"> </span>/1.0/network-acls<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "name": "<ACL-name>",</span>
<span class="s1"> "config": {</span>
<span class="s1"> "user.<custom-key-name>": "<custom-key-value>"</span>
<span class="s1"> },</span>
<span class="s1"> "description": "<description of the ACL>",</span>
<span class="s1"> "egress": [{<egress rule object>}, {<another egress rule object>, ...}],</span>
<span class="s1"> "ingress": [{<ingress rule object>}, {<another ingress rule object>, ...}]</span>
<span class="s1">}'</span>
</pre></div>
</div>
<ul class="simple">
<li><p>You must provide an ACL name that meets the <a class="reference internal" href="#network-acls-name-requirements"><span class="std std-ref">Name requirements</span></a>.</p></li>
<li><p>You can optionally provide one or more custom <code class="docutils literal notranslate"><span class="pre">config.user.*</span></code> keys to store metadata or other information.</p></li>
<li><p>The <code class="docutils literal notranslate"><span class="pre">ingress</span></code> and <code class="docutils literal notranslate"><span class="pre">egress</span></code> lists contain rules for inbound and outbound traffic. See <a class="reference internal" href="#network-acls-rules"><span class="std std-ref">ACL rules</span></a> for details.</p></li>
</ul>
<p class="rubric" id="id1">Examples</p>
<p>Create an ACL with the name <code class="docutils literal notranslate"><span class="pre">my-acl</span></code>, a custom user key of <code class="docutils literal notranslate"><span class="pre">my-key</span></code>, and a <code class="docutils literal notranslate"><span class="pre">description</span></code>:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>POST<span class="w"> </span>/1.0/network-acls<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "name": "my-acl",</span>
<span class="s1"> "config": {</span>
<span class="s1"> "user.my-key": "my-value"</span>
<span class="s1"> },</span>
<span class="s1"> "description": "Web servers"</span>
<span class="s1">}'</span>
</pre></div>
</div>
<p>Create an ACL with the name <code class="docutils literal notranslate"><span class="pre">my-acl</span></code> and an <code class="docutils literal notranslate"><span class="pre">ingress</span></code> rule:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>POST<span class="w"> </span>/1.0/network-acls<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "name": "my-acl",</span>
<span class="s1"> "ingress": [</span>
<span class="s1"> {</span>
<span class="s1"> "action": "drop",</span>
<span class="s1"> "state": "enabled"</span>
<span class="s1"> }</span>
<span class="s1"> ]</span>
<span class="s1">}'</span>
</pre></div>
</div>
</div><div aria-labelledby="tab-2-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-2-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>To create an ACL, navigate to <span class="guilabel">ACLs</span> from the <span class="guilabel">Networking</span> tab in the main navigation, then click the <span class="guilabel">Create ACL</span> button in the upper-right corner.</p>
<figure class="align-default">
<a class="reference internal image-reference" href="../../_images/network_ACL_create.png"><img alt="Create an ACL in LXD" src="../../_images/network_ACL_create.png" style="width: 80%;" />
</a>
</figure>
</div></div>
</section>
<section id="acl-properties">
<span id="network-acls-properties"></span><h3>ACL properties<a class="headerlink" href="#acl-properties" title="Link to this heading">¶</a></h3>
<p>ACLs have the following properties:</p>
<div class="configoption docutils container" id="network-acl-acl-properties:config">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">config</span></code></span><span class="shortdesc"><p>User-provided free-form key/value pairs</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-acl-properties:config"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">config</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string set</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>The only supported keys are <code class="docutils literal notranslate"><span class="pre">user.*</span></code> custom keys.</p>
</div>
</div>
<div class="configoption docutils container" id="network-acl-acl-properties:description">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">description</span></code></span><span class="shortdesc"><p>Description of the network ACL</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-acl-properties:description"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">description</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="configoption docutils container" id="network-acl-acl-properties:egress">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">egress</span></code></span><span class="shortdesc"><p>Egress traffic rules</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-acl-properties:egress"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">egress</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>rule list</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="configoption docutils container" id="network-acl-acl-properties:ingress">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">ingress</span></code></span><span class="shortdesc"><p>Ingress traffic rules</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-acl-properties:ingress"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">ingress</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>rule list</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="configoption docutils container" id="network-acl-acl-properties:name">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">name</span></code></span><span class="shortdesc"><p>Unique name of the network ACL in the project</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-acl-properties:name"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">name</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>yes</p>
</span></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</section>
</section>
<section id="acl-rules">
<span id="network-acls-rules"></span><h2>ACL rules<a class="headerlink" href="#acl-rules" title="Link to this heading">¶</a></h2>
<p>Each ACL contains two lists of rules:</p>
<ul class="simple">
<li><p>Rules in the <code class="docutils literal notranslate"><span class="pre">egress</span></code> list apply to outbound traffic from the NIC.</p></li>
<li><p>Rules in the <code class="docutils literal notranslate"><span class="pre">ingress</span></code> list apply to inbound traffic to the NIC.</p></li>
</ul>
<p>For both <code class="docutils literal notranslate"><span class="pre">egress</span></code> and <code class="docutils literal notranslate"><span class="pre">ingress</span></code>, the rule configuration looks like this:</p>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-3-WUFNTA==" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-3-WUFNTA==" name="WUFNTA==" role="tab" tabindex="0">YAML</button><button aria-controls="panel-3-SlNPTg==" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-3-SlNPTg==" name="SlNPTg==" role="tab" tabindex="-1">JSON</button></div><div aria-labelledby="tab-3-WUFNTA==" class="sphinx-tabs-panel group-tab" id="panel-3-WUFNTA==" name="WUFNTA==" role="tabpanel" tabindex="0"><div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="nt">action</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><allow|reject|drop></span>
<span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><description></span>
<span class="nt">destination</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><destination-IP-range></span>
<span class="nt">destination_port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><destination-port-number></span>
<span class="nt">icmp_code</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><ICMP-code></span>
<span class="nt">icmp_type</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><ICMP-type></span>
<span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><icmp4|icmp6|tcp|udp></span>
<span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><source-of-traffic></span>
<span class="nt">source_port</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><source-port-number></span>
<span class="nt">state</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain"><enabled|disabled|logged></span>
</pre></div>
</div>
</div><div aria-labelledby="tab-3-SlNPTg==" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-3-SlNPTg==" name="SlNPTg==" role="tabpanel" tabindex="0"><div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="s2">"action"</span><span class="p">:</span> <span class="s2">"<allow|reject|drop>"</span><span class="p">,</span>
<span class="s2">"description"</span><span class="p">:</span> <span class="s2">"<description>"</span><span class="p">,</span>
<span class="s2">"destination"</span><span class="p">:</span> <span class="s2">"<destination-IP-range>"</span><span class="p">,</span>
<span class="s2">"destination_port"</span><span class="p">:</span> <span class="s2">"<destination-port-number>"</span><span class="p">,</span>
<span class="s2">"icmp_code"</span><span class="p">:</span> <span class="s2">"<ICMP-code>"</span><span class="p">,</span>
<span class="s2">"icmp_type"</span><span class="p">:</span> <span class="s2">"<ICMP-type>"</span><span class="p">,</span>
<span class="s2">"protocol"</span><span class="p">:</span> <span class="s2">"<icmp4|icmp6|tcp|udp>"</span><span class="p">,</span>
<span class="s2">"source"</span><span class="p">:</span> <span class="s2">"<source-of-traffic>"</span><span class="p">,</span>
<span class="s2">"source_port"</span><span class="p">:</span> <span class="s2">"<source-port-number>"</span><span class="p">,</span>
<span class="s2">"state"</span><span class="p">:</span> <span class="s2">"<enabled|disabled|logged>"</span>
<span class="p">}</span>
</pre></div>
</div>
</div></div>
<ul class="simple">
<li><p>The <strong><code class="docutils literal notranslate"><span class="pre">action</span></code></strong> property is required.</p></li>
<li><p>The <strong><code class="docutils literal notranslate"><span class="pre">source</span></code></strong> and <strong><code class="docutils literal notranslate"><span class="pre">destination</span></code></strong> properties can be specified as one or more CIDR blocks, IP ranges, or <a class="reference internal" href="#network-acls-selectors"><span class="std std-ref">selectors</span></a>. If left empty, they match any source or destination. Comma-separate multiple values.</p></li>
<li><p>If the <strong><code class="docutils literal notranslate"><span class="pre">protocol</span></code></strong> is unset, it matches any protocol.</p></li>
<li><p>The <strong><code class="docutils literal notranslate"><span class="pre">destination_port</span></code></strong> and <strong><code class="docutils literal notranslate"><span class="pre">source_port</span></code></strong> properties and <strong><code class="docutils literal notranslate"><span class="pre">icmp_code</span></code></strong> and <strong><code class="docutils literal notranslate"><span class="pre">icmp_type</span></code></strong> properties are mutually exclusive sets. Although both sets are shown in the same rule above to demonstrate the syntax, they never appear together in practice.</p>
<ul>
<li><p>The <strong><code class="docutils literal notranslate"><span class="pre">destination_port</span></code></strong> and <strong><code class="docutils literal notranslate"><span class="pre">source_port</span></code></strong> properties are only available when the <strong><code class="docutils literal notranslate"><span class="pre">protocol</span></code></strong> for the rule is <code class="docutils literal notranslate"><span class="pre">tcp</span></code> or <code class="docutils literal notranslate"><span class="pre">udp</span></code>.</p></li>
<li><p>The <a class="reference external" href="https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-codes"><strong><code class="docutils literal notranslate"><span class="pre">icmp_code</span></code></strong></a> and <a class="reference external" href="https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml#icmp-parameters-types"><strong><code class="docutils literal notranslate"><span class="pre">icmp_type</span></code></strong></a> properties are only available when the <strong><code class="docutils literal notranslate"><span class="pre">protocol</span></code></strong> is <code class="docutils literal notranslate"><span class="pre">icmp4</span></code> or <code class="docutils literal notranslate"><span class="pre">icmp6</span></code>.</p></li>
</ul>
</li>
<li><p>The <strong><code class="docutils literal notranslate"><span class="pre">state</span></code></strong> is <code class="docutils literal notranslate"><span class="pre">enabled</span></code> by default. The <code class="docutils literal notranslate"><span class="pre">logged</span></code> value is used to <a class="reference internal" href="#network-acls-log"><span class="std std-ref">log traffic</span></a> to a rule.</p></li>
</ul>
<p>For more information, see: <a class="reference internal" href="#network-acls-rule-properties"><span class="std std-ref">Rule properties</span></a>.</p>
<section id="add-a-rule">
<h3>Add a rule<a class="headerlink" href="#add-a-rule" title="Link to this heading">¶</a></h3>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-4-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-4-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-4-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-4-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-4-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-4-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-4-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-4-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To add a rule to an ACL, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>rule<span class="w"> </span>add<span class="w"> </span><ACL-name><span class="w"> </span><egress<span class="p">|</span>ingress><span class="w"> </span><span class="o">[</span>properties...<span class="o">]</span>
</pre></div>
</div>
<p class="rubric" id="example">Example</p>
<p>Add an <code class="docutils literal notranslate"><span class="pre">egress</span></code> rule with an <code class="docutils literal notranslate"><span class="pre">action</span></code> of <code class="docutils literal notranslate"><span class="pre">drop</span></code> to <code class="docutils literal notranslate"><span class="pre">my-acl</span></code>:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>rule<span class="w"> </span>add<span class="w"> </span>my-acl<span class="w"> </span>egress<span class="w"> </span><span class="nv">action</span><span class="o">=</span>drop
</pre></div>
</div>
</div><div aria-labelledby="tab-4-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-4-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>There is no specific endpoint for adding a rule. Instead, you must <a class="reference internal" href="#network-acls-edit"><span class="std std-ref">edit the full ACL</span></a>, which contains the <code class="docutils literal notranslate"><span class="pre">egress</span></code> and <code class="docutils literal notranslate"><span class="pre">ingress</span></code> lists.</p>
</div><div aria-labelledby="tab-4-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-4-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>To add an ingress or egress rule to an ACL, go to its <a class="reference internal" href="#network-acls-show"><span class="std std-ref">detail page</span></a>.</p>
<p>Click <span class="guilabel">Add rule</span>, then configure your ingress or egress settings.</p>
<figure class="align-default">
<a class="reference internal image-reference" href="../../_images/network_ACL_addrule.png"><img alt="Add a rule to an ACL in LXD" src="../../_images/network_ACL_addrule.png" style="width: 80%;" />
</a>
</figure>
<p>Note that the <span class="guilabel">Save changes</span> button displays the number of changes you have made. Save your changes.</p>
</div></div>
</section>
<section id="remove-a-rule">
<h3>Remove a rule<a class="headerlink" href="#remove-a-rule" title="Link to this heading">¶</a></h3>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-5-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-5-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-5-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-5-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-5-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-5-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-5-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-5-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To remove a rule from an ACL, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>rule<span class="w"> </span>remove<span class="w"> </span><ACL-name><span class="w"> </span><egress<span class="p">|</span>ingress><span class="w"> </span><span class="o">[</span>properties...<span class="o">]</span>
</pre></div>
</div>
<p>You must either specify all properties needed to uniquely identify a rule or add <code class="docutils literal notranslate"><span class="pre">--force</span></code> to the command to delete all matching rules.</p>
</div><div aria-labelledby="tab-5-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-5-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>There is no specific endpoint for removing a rule. Instead, you must <a class="reference internal" href="#network-acls-edit"><span class="std std-ref">edit the full ACL</span></a>, which contains the <code class="docutils literal notranslate"><span class="pre">egress</span></code> and <code class="docutils literal notranslate"><span class="pre">ingress</span></code> lists.</p>
</div><div aria-labelledby="tab-5-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-5-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>To remove a rule from an ACL, go to the ACL’s <a class="reference internal" href="#network-acls-show"><span class="std std-ref">detail page</span></a>. From the row of the rule to remove, click the <span class="guilabel">Delete</span> button.</p>
<figure class="align-default">
<a class="reference internal image-reference" href="../../_images/network_ACL_remove_edit.png"><img alt="Add a rule to an ACL in LXD" src="../../_images/network_ACL_remove_edit.png" style="width: 80%;" />
</a>
</figure>
<p>Note that the <span class="guilabel">Save changes</span> button displays the number of changes you have made. Save your changes.</p>
</div></div>
</section>
<section id="edit-a-rule">
<h3>Edit a rule<a class="headerlink" href="#edit-a-rule" title="Link to this heading">¶</a></h3>
<p>You cannot edit a rule directly. Instead, you must <a class="reference internal" href="#network-acls-edit"><span class="std std-ref">edit the full ACL</span></a>, which contains the <code class="docutils literal notranslate"><span class="pre">egress</span></code> and <code class="docutils literal notranslate"><span class="pre">ingress</span></code> lists.</p>
</section>
<section id="rule-ordering-and-application-of-actions">
<h3>Rule ordering and application of actions<a class="headerlink" href="#rule-ordering-and-application-of-actions" title="Link to this heading">¶</a></h3>
<p>ACL rules are defined as lists, but their order within the list does not affect how they are applied.</p>
<p>LXD automatically prioritizes rules based on the action property, in the following order:</p>
<ul class="simple">
<li><p><code class="docutils literal notranslate"><span class="pre">drop</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">reject</span></code></p></li>
<li><p><code class="docutils literal notranslate"><span class="pre">allow</span></code></p></li>
<li><p>The default action for unmatched traffic (defaults to <code class="docutils literal notranslate"><span class="pre">reject</span></code>, see <a class="reference internal" href="#network-acls-defaults"><span class="std std-ref">Configure default actions</span></a>)</p></li>
</ul>
<p>When you assign multiple ACLs to a NIC, you do not need to coordinate rule order across them. As soon as a rule matches, its action is applied and no further rules are evaluated.</p>
</section>
<section id="rule-properties">
<span id="network-acls-rule-properties"></span><h3>Rule properties<a class="headerlink" href="#rule-properties" title="Link to this heading">¶</a></h3>
<p>ACL rules have the following properties:</p>
<div class="configoption docutils container" id="network-acl-rule-properties:action">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">action</span></code></span><span class="shortdesc"><p>Action to take for matching traffic</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:action"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">action</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>yes</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>Possible values are <code class="docutils literal notranslate"><span class="pre">allow</span></code>, <code class="docutils literal notranslate"><span class="pre">reject</span></code>, and <code class="docutils literal notranslate"><span class="pre">drop</span></code>.</p>
</div>
</div>
<div class="configoption docutils container" id="network-acl-rule-properties:description">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">description</span></code></span><span class="shortdesc"><p>Description of the rule</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:description"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">description</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div class="configoption docutils container" id="network-acl-rule-properties:destination">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">destination</span></code></span><span class="shortdesc"><p>Comma-separated list of destinations</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:destination"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">destination</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>Destinations can be specified as CIDR or IP ranges, destination subject name selectors (for egress rules), or be left empty for any.</p>
</div>
</div>
<div class="configoption docutils container" id="network-acl-rule-properties:destination_port">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">destination_port</span></code></span><span class="shortdesc"><p>Destination ports or port ranges</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:destination_port"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">destination_port</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>This option is valid only if the protocol is <code class="docutils literal notranslate"><span class="pre">udp</span></code> or <code class="docutils literal notranslate"><span class="pre">tcp</span></code>.
Specify a comma-separated list of ports or port ranges (start-end inclusive), or leave the value empty for any.</p>
</div>
</div>
<div class="configoption docutils container" id="network-acl-rule-properties:icmp_code">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">icmp_code</span></code></span><span class="shortdesc"><p>ICMP message code</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:icmp_code"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">icmp_code</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>This option is valid only if the protocol is <code class="docutils literal notranslate"><span class="pre">icmp4</span></code> or <code class="docutils literal notranslate"><span class="pre">icmp6</span></code>.
Specify the ICMP code number, or leave the value empty for any.</p>
</div>
</div>
<div class="configoption docutils container" id="network-acl-rule-properties:icmp_type">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">icmp_type</span></code></span><span class="shortdesc"><p>Type of ICMP message</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:icmp_type"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">icmp_type</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>This option is valid only if the protocol is <code class="docutils literal notranslate"><span class="pre">icmp4</span></code> or <code class="docutils literal notranslate"><span class="pre">icmp6</span></code>.
Specify the ICMP type number, or leave the value empty for any.</p>
</div>
</div>
<div class="configoption docutils container" id="network-acl-rule-properties:protocol">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">protocol</span></code></span><span class="shortdesc"><p>Protocol to match</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:protocol"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">protocol</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>Possible values are <code class="docutils literal notranslate"><span class="pre">icmp4</span></code>, <code class="docutils literal notranslate"><span class="pre">icmp6</span></code>, <code class="docutils literal notranslate"><span class="pre">tcp</span></code>, and <code class="docutils literal notranslate"><span class="pre">udp</span></code>.
Leave the value empty to match any protocol.</p>
</div>
</div>
<div class="configoption docutils container" id="network-acl-rule-properties:source">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">source</span></code></span><span class="shortdesc"><p>Comma-separated list of sources</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:source"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">source</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>Sources can be specified as CIDR or IP ranges, source subject name selectors (for ingress rules), or be left empty for any.</p>
</div>
</div>
<div class="configoption docutils container" id="network-acl-rule-properties:source_port">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">source_port</span></code></span><span class="shortdesc"><p>Source ports or port ranges</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:source_port"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">source_port</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>no</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>This option is valid only if the protocol is <code class="docutils literal notranslate"><span class="pre">udp</span></code> or <code class="docutils literal notranslate"><span class="pre">tcp</span></code>.
Specify a comma-separated list of ports or port ranges (start-end inclusive), or leave the value empty for any.</p>
</div>
</div>
<div class="configoption docutils container" id="network-acl-rule-properties:state">
<div class="basicinfo docutils container">
<span class="key"><code class="docutils literal notranslate"><span class="pre">state</span></code></span><span class="shortdesc"><p>State of the rule</p>
</span><span class="anchor"><a class="reference external" href="#network-acl-rule-properties:state"><i class="icon"><svg><use href="#svg-arrow-right"></use></svg></i></a></span></div>
<div class="details docutils container">
<div class="table-wrapper fields docutils container">
<table class="fields docutils align-default">
<tbody>
<tr class="row-odd"><td><strong>Key: </strong></td>
<td><code class="docutils literal notranslate"><span class="pre">state</span></code></td>
</tr>
<tr class="row-even"><td><strong>Type: </strong></td>
<td><span class="ignoreP"><p>string</p>
</span></td>
</tr>
<tr class="row-odd"><td><strong>Default: </strong></td>
<td><span class="ignoreP"><p><code class="docutils literal notranslate"><span class="pre">enabled</span></code></p>
</span></td>
</tr>
<tr class="row-even"><td><strong>Required: </strong></td>
<td><span class="ignoreP"><p>yes</p>
</span></td>
</tr>
</tbody>
</table>
</div>
<p>Possible values are <code class="docutils literal notranslate"><span class="pre">enabled</span></code>, <code class="docutils literal notranslate"><span class="pre">disabled</span></code>, and <code class="docutils literal notranslate"><span class="pre">logged</span></code>.</p>
</div>
</div>
</section>
<section id="use-selectors-in-rules">
<span id="network-acls-selectors"></span><h3>Use selectors in rules<a class="headerlink" href="#use-selectors-in-rules" title="Link to this heading">¶</a></h3>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>This feature is supported only for the <a class="reference internal" href="../../reference/devices_nic/#nic-ovn"><span class="std std-ref">OVN NIC type</span></a> and the <a class="reference internal" href="../../reference/network_ovn/#network-ovn"><span class="std std-ref">OVN network</span></a>.</p>
</div>
<p>In ACL rules, the <code class="docutils literal notranslate"><span class="pre">source</span></code> and <code class="docutils literal notranslate"><span class="pre">destination</span></code> properties support using selectors instead of CIDR blocks or IP ranges. You can only use selectors in the <code class="docutils literal notranslate"><span class="pre">source</span></code> of <code class="docutils literal notranslate"><span class="pre">ingress</span></code> rules, and in the <code class="docutils literal notranslate"><span class="pre">destination</span></code> of <code class="docutils literal notranslate"><span class="pre">egress</span></code> rules.</p>
<p>Using selectors allows you to define rules for groups of instances instead of managing lists of IP addresses or subnets manually.</p>
<p>There are two types of selectors:</p>
<ul class="simple">
<li><p>subject name selectors (ACL groups)</p></li>
<li><p>network subject selectors</p></li>
</ul>
<section id="subject-name-selectors-acl-groups">
<span id="network-acls-selectors-subject-name"></span><h4>Subject name selectors (ACL groups)<a class="headerlink" href="#subject-name-selectors-acl-groups" title="Link to this heading">¶</a></h4>
<p>When an ACL is assigned to multiple instance NICs, either directly or through their networks, those NICs form a logical port group. You can use the name of that ACL as a <em>subject name selector</em> to refer to that group in the egress and ingress lists of other ACLs.</p>
<p>For example, if you have an ACL with the name <code class="docutils literal notranslate"><span class="pre">my-acl</span></code>, you can specify the group of instance NICs that are assigned this ACL as an egress or ingress rule’s source by setting <code class="docutils literal notranslate"><span class="pre">source</span></code> to <code class="docutils literal notranslate"><span class="pre">my-acl</span></code>.</p>
</section>
<section id="network-subject-selectors">
<span id="network-acls-selectors-network-subject"></span><h4>Network subject selectors<a class="headerlink" href="#network-subject-selectors" title="Link to this heading">¶</a></h4>
<p>Use <em>network subject selectors</em> to define rules based on the network that the traffic is coming from or going to.</p>
<p>All network subject selectors begin with the <code class="docutils literal notranslate"><span class="pre">@</span></code> symbol. There are two special network subject selectors called <code class="docutils literal notranslate"><span class="pre">@internal</span></code> and <code class="docutils literal notranslate"><span class="pre">@external</span></code>. They represent the network’s local and external traffic, respectively.</p>
<p>Here’s an example ACL rule (in YAML) that allows all internal traffic with the specified destination port:</p>
<div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="nt">ingress</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">action</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">allow</span>
<span class="w"> </span><span class="nt">description</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Allow HTTP/HTTPS from internal</span>
<span class="w"> </span><span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">tcp</span>
<span class="w"> </span><span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="s">"@internal"</span>
<span class="w"> </span><span class="nt">destination_port</span><span class="p">:</span><span class="w"> </span><span class="s">"80,443"</span>
<span class="w"> </span><span class="nt">state</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">enabled</span>
</pre></div>
</div>
<p>If your network supports <a class="reference internal" href="../network_ovn_peers/"><span class="std std-doc">network peers</span></a>, you can reference traffic to or from the peer connection by using a network subject selector in the format <code class="docutils literal notranslate"><span class="pre">@<network-name>/<peer-name></span></code>. Example:</p>
<div class="highlight-yaml notranslate"><div class="highlight"><pre><span></span><span class="nt">source</span><span class="p">:</span><span class="w"> </span><span class="s">"@my-network/my-peer"</span>
</pre></div>
</div>
<p>When using a network subject selector, the network that has the ACL assigned to it must have the specified peer connection.</p>
</section>
</section>
<section id="log-traffic">
<span id="network-acls-log"></span><h3>Log traffic<a class="headerlink" href="#log-traffic" title="Link to this heading">¶</a></h3>
<p>ACL rules are primarily used to control network traffic between instances and networks. However, they can also be used to log specific types of traffic, which is useful for monitoring or testing rules before enabling them.</p>
<p>To configure a rule so that it only logs traffic, configure its <code class="docutils literal notranslate"><span class="pre">state</span></code> to <code class="docutils literal notranslate"><span class="pre">logged</span></code> when you <a class="reference internal" href="#network-acls-rules"><span class="std std-ref">add the rule</span></a> or <a class="reference internal" href="#network-acls-edit"><span class="std std-ref">edit the ACL</span></a>.</p>
<section id="view-logs">
<h4>View logs<a class="headerlink" href="#view-logs" title="Link to this heading">¶</a></h4>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-6-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-6-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-6-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-6-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-6-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-6-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-6-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-6-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To display the logs for all <code class="docutils literal notranslate"><span class="pre">logged</span></code> rules in an ACL, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>show-log<span class="w"> </span><ACL-name>
</pre></div>
</div>
</div><div aria-labelledby="tab-6-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-6-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>To display the logs for all <code class="docutils literal notranslate"><span class="pre">logged</span></code> rules in an ACL, query the <a class="reference external" href="/api/#/network-acls/network_acl_log_get"><code class="docutils literal notranslate"><span class="pre">GET</span> <span class="pre">/1.0/network-acls/{ACL-name}/log</span></code></a> endpoint:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>GET<span class="w"> </span>/1.0/network-acls/<span class="o">{</span>ACL-name<span class="o">}</span>/log
</pre></div>
</div>
<p class="rubric" id="id2">Example</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>GET<span class="w"> </span>/1.0/network-acls/my-acl/log
</pre></div>
</div>
</div><div aria-labelledby="tab-6-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-6-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>Download a <code class="docutils literal notranslate"><span class="pre">.log</span></code> file of your ACL’s logs from its <a class="reference internal" href="#network-acls-show"><span class="std std-ref">detail page</span></a> by clicking the <span class="guilabel">Download logs</span> button in the upper-right corner.</p>
</div></div>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>If your attempt to view logs returns no data, that means either:</p>
<ul class="simple">
<li><p>No <code class="docutils literal notranslate"><span class="pre">logged</span></code> rules have matched any traffic yet.</p></li>
<li><p>The ACL does not contain any rules with a <code class="docutils literal notranslate"><span class="pre">state</span></code> of <code class="docutils literal notranslate"><span class="pre">logged</span></code>.</p></li>
</ul>
<p>When displaying logs for an ACL, LXD intentionally displays all existing logs for that ACL, including logs from formerly <code class="docutils literal notranslate"><span class="pre">logged</span></code> rules that are no longer set to log traffic. Thus, if you see logs from an ACL rule, that does not necessarily mean that its <code class="docutils literal notranslate"><span class="pre">state</span></code> is <em>currently</em> set to <code class="docutils literal notranslate"><span class="pre">logged</span></code>.</p>
</div>
</section>
</section>
</section>
<section id="edit-an-acl">
<span id="network-acls-edit"></span><h2>Edit an ACL<a class="headerlink" href="#edit-an-acl" title="Link to this heading">¶</a></h2>
<section id="rename-an-acl">
<span id="network-acls-edit-rename"></span><h3>Rename an ACL<a class="headerlink" href="#rename-an-acl" title="Link to this heading">¶</a></h3>
<p>Requirements:</p>
<ul class="simple">
<li><p>You can only rename an ACL that is not currently <a class="reference internal" href="#network-acls-assign"><span class="std std-ref">assigned to a NIC or network</span></a>.</p></li>
<li><p>The new name must meet the <a class="reference internal" href="#network-acls-name-requirements"><span class="std std-ref">Name requirements</span></a>.</p></li>
</ul>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-7-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-7-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-7-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-7-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-7-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-7-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-7-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-7-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To rename an ACL, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>rename<span class="w"> </span><old-ACL-name><span class="w"> </span><new-ACL-name>
</pre></div>
</div>
</div><div aria-labelledby="tab-7-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-7-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>To rename an ACL, query the <a class="reference external" href="/api/#/network-acls/network_acl_post"><code class="docutils literal notranslate"><span class="pre">POST</span> <span class="pre">/1.0/network-acls/{ACL-name}</span></code></a> endpoint:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>POST<span class="w"> </span>/1.0/network-acls/<span class="o">{</span>ACL-name<span class="o">}</span><span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "name": "<new-ACL-name>"</span>
<span class="s1">}'</span>
</pre></div>
</div>
<p class="rubric" id="id3">Example</p>
<p>Rename an ACL named <code class="docutils literal notranslate"><span class="pre">web-traffic</span></code> to <code class="docutils literal notranslate"><span class="pre">internal-web-traffic</span></code>:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>POST<span class="w"> </span>/1.0/network-acls/web-traffic<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "name": "internal-web-traffic"</span>
<span class="s1">}'</span>
</pre></div>
</div>
</div><div aria-labelledby="tab-7-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-7-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>To rename an ACL, go to its <a class="reference internal" href="#network-acls-show"><span class="std std-ref">detail page</span></a> and select its name in the header.</p>
</div></div>
</section>
<section id="edit-other-properties">
<span id="network-acls-edit-properties"></span><h3>Edit other properties<a class="headerlink" href="#edit-other-properties" title="Link to this heading">¶</a></h3>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-8-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-8-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-8-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-8-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-8-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-8-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-8-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-8-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>Run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>edit<span class="w"> </span><ACL-name>
</pre></div>
</div>
<p>This command opens the ACL configuration in YAML format for editing. You can edit any part of the configuration <em>except</em> for the ACL name, including the custom user keys.</p>
</div><div aria-labelledby="tab-8-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-8-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>You can update any ACL property except for <code class="docutils literal notranslate"><span class="pre">name</span></code>, including the custom user keys, by querying the <a class="reference external" href="/api/#/network-acls/network_acl_put"><code class="docutils literal notranslate"><span class="pre">PUT</span> <span class="pre">/1.0/network-acls/{ACL-name}</span></code></a> endpoint:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PUT<span class="w"> </span>/1.0/network-acls/<span class="o">{</span>ACL-name<span class="o">}</span><span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "config": {</span>
<span class="s1"> "user.<custom key name>": "<custom key value>"</span>
<span class="s1"> },</span>
<span class="s1"> "description": "<description of the ACL>",</span>
<span class="s1"> "egress": [<egress rule>, <another egress rule...>,...],</span>
<span class="s1"> "ingress": [<ingress rule>, <another ingress rule...>,...]</span>
<span class="s1">}'</span>
</pre></div>
</div>
<div class="admonition caution">
<p class="admonition-title">Caution</p>
<p>Any properties you omit from this request (aside from the ACL <code class="docutils literal notranslate"><span class="pre">name</span></code>) will be reset to defaults. See: <a class="reference internal" href="../../rest-api/#rest-api-put"><span class="std std-ref">The PUT method</span></a>.</p>
</div>
<p>If you <em>only</em> want to update the <code class="docutils literal notranslate"><span class="pre">config</span></code> custom user keys, see: <a class="reference internal" href="#network-acls-edit-custom-api"><span class="std std-ref">Edit a custom user key via PATCH API</span></a>.</p>
<p class="rubric" id="id4">Example</p>
<p>Consider an ACL named <code class="docutils literal notranslate"><span class="pre">my-acl</span></code> with the following properties (shown in JSON):</p>
<div class="highlight-json notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="w"> </span><span class="nt">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-acl"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"user.my-key"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-value"</span>
<span class="w"> </span><span class="p">},</span>
<span class="w"> </span><span class="nt">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"My test ACL"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"egress"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"allow"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"state"</span><span class="p">:</span><span class="w"> </span><span class="s2">"logged"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">]</span>
<span class="w"> </span><span class="nt">"ingress"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"drop"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"state"</span><span class="p">:</span><span class="w"> </span><span class="s2">"enabled"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">]</span>
<span class="p">}</span>
</pre></div>
</div>
<p>This query updates that ACL’s <code class="docutils literal notranslate"><span class="pre">egress</span></code> rule <code class="docutils literal notranslate"><span class="pre">state</span></code> from <code class="docutils literal notranslate"><span class="pre">logged</span></code> to <code class="docutils literal notranslate"><span class="pre">enabled</span></code>:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PUT<span class="w"> </span>/1.0/network-acls/my-acl<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "egress": [</span>
<span class="s1"> {</span>
<span class="s1"> "action": "allow",</span>
<span class="s1"> "state": "enabled"</span>
<span class="s1"> }</span>
<span class="s1"> ]</span>
<span class="s1">}'</span>
</pre></div>
</div>
<p>After the above query is run, <code class="docutils literal notranslate"><span class="pre">my-acl</span></code> contains the following properties:</p>
<div class="highlight-json notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="w"> </span><span class="nt">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"test"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{},</span>
<span class="w"> </span><span class="nt">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"egress"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span>
<span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"allow"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"state"</span><span class="p">:</span><span class="w"> </span><span class="s2">"enabled"</span>
<span class="w"> </span><span class="p">}</span>
<span class="w"> </span><span class="p">],</span>
<span class="w"> </span><span class="nt">"ingress"</span><span class="p">:</span><span class="w"> </span><span class="p">[]</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Note that the <code class="docutils literal notranslate"><span class="pre">description</span></code> and <code class="docutils literal notranslate"><span class="pre">ingress</span></code> properties have been reset to defaults because they were not provided in the API request.</p>
<p>To avoid this behavior and preserve the values of any existing properties, you must include them in the <code class="docutils literal notranslate"><span class="pre">PUT</span></code> request along with the updated property:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PUT<span class="w"> </span>/1.0/network-acls/my-acl<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "description": "My test ACL",</span>
<span class="s1"> "egress": [</span>
<span class="s1"> {</span>
<span class="s1"> "action": "allow",</span>
<span class="s1"> "state": "enabled"</span>
<span class="s1"> }</span>
<span class="s1"> ],</span>
<span class="s1"> "ingress": [</span>
<span class="s1"> {</span>
<span class="s1"> "action": "drop",</span>
<span class="s1"> "state": "enabled"</span>
<span class="s1"> }</span>
<span class="s1"> ]</span>
<span class="s1">}'</span>
</pre></div>
</div>
</div><div aria-labelledby="tab-8-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-8-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>To edit an ACL, navigate to its <a class="reference internal" href="#network-acls-show"><span class="std std-ref">detail page</span></a>. From here, you can add or remove ingress or egress rules, as well as configure other settings.</p>
</div></div>
</section>
<section id="edit-a-custom-user-key-via-patch-api">
<span id="network-acls-edit-custom-api"></span><h3>Edit a custom user key via PATCH API<a class="headerlink" href="#edit-a-custom-user-key-via-patch-api" title="Link to this heading">¶</a></h3>
<p>There’s one more way to add or update a custom <code class="docutils literal notranslate"><span class="pre">config.user.*</span></code> key when using the API. Instead of the PUT method shown in the <a class="reference internal" href="#network-acls-edit-properties"><span class="std std-ref">Edit other properties</span></a> section above, you can query the <a class="reference external" href="/api/#/network-acls/network_acl_patch"><code class="docutils literal notranslate"><span class="pre">PATCH</span> <span class="pre">/1.0/network-acls/{ACL-name}</span></code></a> endpoint:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/network-acls/<span class="o">{</span>ACL-name<span class="o">}</span><span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "config": {</span>
<span class="s1"> "user.<custom-key-name>": "<custom-key-value>"</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
<div class="admonition caution">
<p class="admonition-title">Caution</p>
<p>Any ACL properties you omit from this request (aside from <code class="docutils literal notranslate"><span class="pre">config</span></code> and <code class="docutils literal notranslate"><span class="pre">name</span></code>) will be reset to defaults.</p>
</div>
<p>This <code class="docutils literal notranslate"><span class="pre">PATCH</span></code> endpoint allows you to add or update custom <code class="docutils literal notranslate"><span class="pre">config.user.*</span></code> keys without affecting other existing <code class="docutils literal notranslate"><span class="pre">config.user.*</span></code> entries. However, this <a class="reference internal" href="../../rest-api/#rest-api-patch"><span class="std std-ref">partial update behavior</span></a> applies <em>only</em> to the <code class="docutils literal notranslate"><span class="pre">config</span></code> property. For the <code class="docutils literal notranslate"><span class="pre">description</span></code>, <code class="docutils literal notranslate"><span class="pre">egress</span></code>, and <code class="docutils literal notranslate"><span class="pre">ingress</span></code> properties, this request behaves like a <a class="reference internal" href="../../rest-api/#rest-api-put"><span class="std std-ref">PUT request</span></a>: it replaces any provided values and resets any omitted properties to their defaults. Thus, ensure you include any properties you want to keep.</p>
<section id="id5">
<h4>Example<a class="headerlink" href="#id5" title="Link to this heading">¶</a></h4>
<p>Consider an ACL named <code class="docutils literal notranslate"><span class="pre">my-acl</span></code> with the following properties (shown in JSON):</p>
<div class="highlight-json notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="w"> </span><span class="nt">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-acl"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">"My test ACL"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"user.my-key1"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span>
<span class="w"> </span><span class="p">},</span>
<span class="p">}</span>
</pre></div>
</div>
<p>The following query adds a <code class="docutils literal notranslate"><span class="pre">config.user.my-key2</span></code> key with the value of <code class="docutils literal notranslate"><span class="pre">2</span></code>:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/network-acls/my-acl<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "config": {</span>
<span class="s1"> "user.my-key2": "2"</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
<p>After sending the above request, <code class="docutils literal notranslate"><span class="pre">my-acl</span></code>’s properties are updated to:</p>
<div class="highlight-json notranslate"><div class="highlight"><pre><span></span><span class="p">{</span>
<span class="w"> </span><span class="nt">"name"</span><span class="p">:</span><span class="w"> </span><span class="s2">"my-acl"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"description"</span><span class="p">:</span><span class="w"> </span><span class="s2">""</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"config"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span>
<span class="w"> </span><span class="nt">"user.my-key1"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span>
<span class="w"> </span><span class="nt">"user.my-key2"</span><span class="p">:</span><span class="w"> </span><span class="s2">"2"</span>
<span class="w"> </span><span class="p">}</span>
<span class="p">}</span>
</pre></div>
</div>
<p>Note that the request <em>inserted</em> the new <code class="docutils literal notranslate"><span class="pre">user.my-key2</span></code> key without affecting the pre-existing <code class="docutils literal notranslate"><span class="pre">user.my-key1</span></code> key. Also notice that the <code class="docutils literal notranslate"><span class="pre">description</span></code> property was not sent in the request, and thus was reset to an empty value.</p>
</section>
</section>
</section>
<section id="delete-an-acl">
<span id="network-acls-delete"></span><h2>Delete an ACL<a class="headerlink" href="#delete-an-acl" title="Link to this heading">¶</a></h2>
<p>You can only delete an ACL that is not <a class="reference internal" href="#network-acls-assign"><span class="std std-ref">assigned to a NIC or network</span></a>.</p>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-9-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-9-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-9-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-9-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-9-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-9-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-9-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-9-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To delete an ACL, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span>acl<span class="w"> </span>delete<span class="w"> </span><ACL-name>
</pre></div>
</div>
</div><div aria-labelledby="tab-9-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-9-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>To delete an ACL, query the <a class="reference external" href="/api/#/network-acls/network_acl_delete"><code class="docutils literal notranslate"><span class="pre">DELETE</span> <span class="pre">/1.0/network-acls/{ACL-name}</span></code></a> endpoint:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>DELETE<span class="w"> </span>/1.0/network-acls/<span class="o">{</span>ACL-name<span class="o">}</span>
</pre></div>
</div>
</div><div aria-labelledby="tab-9-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-9-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>To delete an ACL, ensure that it is not assigned to an NIC or network. You can then delete it from its <a class="reference internal" href="#network-acls-show"><span class="std std-ref">detail page</span></a>.</p>
</div></div>
</section>
<section id="assign-an-acl">
<span id="network-acls-assign"></span><h2>Assign an ACL<a class="headerlink" href="#assign-an-acl" title="Link to this heading">¶</a></h2>
<p>An ACL is inactive until it is assigned to one of the following targets:</p>
<ul class="simple">
<li><p>a <a class="reference internal" href="../../reference/network_ovn/#network-ovn"><span class="std std-ref">OVN network</span></a></p></li>
<li><p>a <a class="reference internal" href="../../reference/network_bridge/#network-bridge"><span class="std std-ref">Bridge network</span></a></p></li>
<li><p>an <a class="reference internal" href="../../reference/devices_nic/#nic-ovn"><span class="std std-ref">OVN NIC type of an instance</span></a></p></li>
</ul>
<p>To assign an ACL, you must update the <code class="docutils literal notranslate"><span class="pre">security.acls</span></code> option within its target’s configuration.</p>
<p>Assigning one or more ACLs to a NIC or network adds a default rule that rejects all unmatched traffic. See <a class="reference internal" href="#network-acls-defaults"><span class="std std-ref">Configure default actions</span></a> for details.</p>
<section id="assign-an-acl-to-a-bridge-or-ovn-network">
<h3>Assign an ACL to a bridge or OVN network<a class="headerlink" href="#assign-an-acl-to-a-bridge-or-ovn-network" title="Link to this heading">¶</a></h3>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-10-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-10-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-10-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-10-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button><button aria-controls="panel-10-VUk=" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-10-VUk=" name="VUk=" role="tab" tabindex="-1">UI</button></div><div aria-labelledby="tab-10-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-10-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To set the network’s <code class="docutils literal notranslate"><span class="pre">security.acls</span></code>, run the following command. Set the value to a string that contains the ACL name or names you want to add, and comma-separate multiple names:</p>
<p>Set the network’s <code class="docutils literal notranslate"><span class="pre">security.acls</span></code> to a string that contains the ACL name or names you want to add. Comma-separate multiple names:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span><span class="nb">set</span><span class="w"> </span><network-name><span class="w"> </span>security.acls<span class="o">=</span><span class="s2">"<ACL-name>[,<ACL-name>,...]"</span>
</pre></div>
</div>
<p>For more information about using <code class="docutils literal notranslate"><span class="pre">lxc</span> <span class="pre">network</span> <span class="pre">set</span></code>, see: <a class="reference internal" href="../network_configure/#network-configure"><span class="std std-ref">How to configure a network</span></a>.</p>
<p class="rubric" id="id6">Example</p>
<p>Set the <code class="docutils literal notranslate"><span class="pre">my-network</span></code> network’s <code class="docutils literal notranslate"><span class="pre">security.acls</span></code> to contain three ACLs:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span><span class="nb">set</span><span class="w"> </span>my-network<span class="w"> </span>security.acls<span class="o">=</span><span class="s2">"my-acl1,my-acl2,my-acl3"</span>
</pre></div>
</div>
</div><div aria-labelledby="tab-10-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-10-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>To set the network’s <code class="docutils literal notranslate"><span class="pre">security.acls</span></code>, query the <a class="reference external" href="/api/#/networks/network_patch"><code class="docutils literal notranslate"><span class="pre">PATCH</span> <span class="pre">/1.0/networks/{network-name}</span></code></a> endpoint. Set the value to a string that contains the ACL name or names you want to add, and comma-separate multiple names:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/networks/<span class="o">{</span>network-name<span class="o">}</span><span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "config": {</span>
<span class="s1"> "security.acls": "<ACL-name>[,<ACL-name>,...]"</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
<p class="rubric" id="id7">Example</p>
<p>Set the <code class="docutils literal notranslate"><span class="pre">my-network</span></code> network’s <code class="docutils literal notranslate"><span class="pre">security.acls</span></code> to contain three ACLs:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/networks/my-network<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "config": {</span>
<span class="s1"> "security.acls": "my-acl1,my-acl2,my-acl3"</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
</div><div aria-labelledby="tab-10-VUk=" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-10-VUk=" name="VUk=" role="tabpanel" tabindex="0"><p>You can assign an ACL to a bridge or OVN network when <a class="reference internal" href="../network_create/#network-create"><span class="std std-ref">creating</span></a> or <a class="reference internal" href="../network_configure/#network-configure"><span class="std std-ref">editing</span></a> the network. In either case, select your pre-configured ACL from the <span class="guilabel">ACLs</span> dropdown.</p>
<figure class="align-default">
<a class="reference internal image-reference" href="../../_images/network_create.png"><img alt="Create a network in LXD" src="../../_images/network_create.png" style="width: 80%;" />
</a>
</figure>
</div></div>
</section>
<section id="assign-an-acl-to-the-ovn-nic-of-an-instance">
<h3>Assign an ACL to the OVN NIC of an instance<a class="headerlink" href="#assign-an-acl-to-the-ovn-nic-of-an-instance" title="Link to this heading">¶</a></h3>
<p>For <abbr title="Network Interface Cards">NICs</abbr>, ACLs can only be used with the <a class="reference internal" href="../../reference/devices_nic/#nic-ovn"><span class="std std-ref">OVN NIC type</span></a>.</p>
<p>An NIC is considered a type of instance <a class="reference internal" href="../../reference/devices/#devices"><span class="std std-ref">device</span></a>. For general information about configuring instance devices, see: <a class="reference internal" href="../instances_configure/#instances-configure-devices"><span class="std std-ref">Configure devices</span></a>.</p>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-11-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-11-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-11-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-11-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button></div><div aria-labelledby="tab-11-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-11-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p>To assign an ACL to an instance’s OVN NIC, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>config<span class="w"> </span>device<span class="w"> </span><span class="nb">set</span><span class="w"> </span><instance-name><span class="w"> </span><NIC-name><span class="w"> </span>security.acls<span class="o">=</span><span class="s2">"<ACL-name>[,ACL-name,...]"</span>
</pre></div>
</div>
<p class="rubric" id="id8">Example</p>
<p>Assign three ACLs to an instance’s OVN NIC:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>config<span class="w"> </span>device<span class="w"> </span><span class="nb">set</span><span class="w"> </span>my-instance<span class="w"> </span>my-ovn-nic<span class="w"> </span>security.acls<span class="o">=</span><span class="s2">"my-acl1,my-acl2,my-acl3"</span>
</pre></div>
</div>
</div><div aria-labelledby="tab-11-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-11-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p>To assign an ACL to an instance’s OVN NIC, query the <a class="reference external" href="/api/#/instances/instance_patch"><code class="docutils literal notranslate"><span class="pre">PATCH</span> <span class="pre">/1.0/instances/{instance-name}</span></code></a> endpoint. Set <code class="docutils literal notranslate"><span class="pre">security.acls</span></code> to a string that contains the ACL name or names you want to add, and comma-separate multiple names:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/instances/<span class="o">{</span>instance-name<span class="o">}</span><span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "devices": {</span>
<span class="s1"> "<NIC-name>": {</span>
<span class="s1"> "network": <network-name>,</span>
<span class="s1"> "type": "nic",</span>
<span class="s1"> "security.acls": "<ACL-name>[,<ACL-name>,...]",</span>
<span class="s1"> <other options></span>
<span class="s1"> }</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
<p>The <code class="docutils literal notranslate"><span class="pre">type</span></code> and <code class="docutils literal notranslate"><span class="pre">network</span></code> options are required in the body (see: <a class="reference internal" href="../instances_configure/#instances-configure-devices-api-required"><span class="std std-ref">Required device options</span></a>).</p>
<div class="admonition caution">
<p class="admonition-title">Caution</p>
<p>Patching an instance device’s configuration unsets any options for that device omitted from the PATCH request body. For more information, see <a class="reference internal" href="../instances_configure/#instances-configure-devices-api-patch-effects"><span class="std std-ref">Effects of patching device options</span></a>.</p>
</div>
<p class="rubric" id="id9">Example</p>
<p>For <code class="docutils literal notranslate"><span class="pre">my-instance</span></code>, set its <code class="docutils literal notranslate"><span class="pre">my-ovn-nic</span></code> device’s <code class="docutils literal notranslate"><span class="pre">security.acls</span></code> to contain three ACLs:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/instances/my-instance<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "devices": {</span>
<span class="s1"> "my-ovn-nic": {</span>
<span class="s1"> "network": "my-ovn-network",</span>
<span class="s1"> "type": "nic",</span>
<span class="s1"> "security.acls": "my-acl1,my-acl2,my-acl3"</span>
<span class="s1"> }</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
</div></div>
</section>
<section id="additional-options">
<span id="network-acls-assign-additional"></span><h3>Additional options<a class="headerlink" href="#additional-options" title="Link to this heading">¶</a></h3>
<p>To view additional options for the <code class="docutils literal notranslate"><span class="pre">security.acls</span></code> lists, refer to the configuration options for the target network or NIC:</p>
<ul class="simple">
<li><p>Bridget network’s <a class="configref reference internal" href="../../reference/network_bridge/#network-bridge-network-conf:security.acls"><code class="docutils literal notranslate"><span class="pre">security.acls</span></code></a></p></li>
<li><p>OVN network’s <a class="configref reference internal" href="../../reference/network_ovn/#network-ovn-network-conf:security.acls"><code class="docutils literal notranslate"><span class="pre">security.acls</span></code></a></p></li>
<li><p>Instance’s OVN NIC <a class="configref reference internal" href="../../reference/devices_nic/#device-nic-ovn-device-conf:security.acls"><code class="docutils literal notranslate"><span class="pre">security.acls</span></code></a></p></li>
</ul>
</section>
</section>
<section id="configure-default-actions">
<span id="network-acls-defaults"></span><h2>Configure default actions<a class="headerlink" href="#configure-default-actions" title="Link to this heading">¶</a></h2>
<p>When one or more ACLs are assigned to a NIC—either directly or through its network—a default reject rule is added to the NIC.
This rule rejects all traffic that doesn’t match any of the rules in the assigned ACLs.</p>
<p>You can change this behavior with the network- and NIC-level <code class="docutils literal notranslate"><span class="pre">security.acls.default.ingress.action</span></code> and <code class="docutils literal notranslate"><span class="pre">security.acls.default.egress.action</span></code> settings. The NIC-level settings override the network-level settings.</p>
<div class="sphinx-tabs docutils container">
<div aria-label="Tabbed content" class="closeable" role="tablist"><button aria-controls="panel-12-Q0xJ" aria-selected="true" class="sphinx-tabs-tab group-tab" id="tab-12-Q0xJ" name="Q0xJ" role="tab" tabindex="0">CLI</button><button aria-controls="panel-12-QVBJ" aria-selected="false" class="sphinx-tabs-tab group-tab" id="tab-12-QVBJ" name="QVBJ" role="tab" tabindex="-1">API</button></div><div aria-labelledby="tab-12-Q0xJ" class="sphinx-tabs-panel group-tab" id="panel-12-Q0xJ" name="Q0xJ" role="tabpanel" tabindex="0"><p class="rubric" id="configure-a-default-action-for-a-network">Configure a default action for a network</p>
<p>To set the default action for a network’s egress or ingress traffic, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span><span class="nb">set</span><span class="w"> </span><network-name><span class="w"> </span>security.acls.default.<egress<span class="p">|</span>ingress>.action<span class="o">=</span><allow<span class="p">|</span>reject<span class="p">|</span>drop>
</pre></div>
</div>
<p class="rubric" id="id10">Example</p>
<p>To set the default action for inbound traffic to <code class="docutils literal notranslate"><span class="pre">allow</span></code> for all instances on the <code class="docutils literal notranslate"><span class="pre">my-network</span></code> network, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>network<span class="w"> </span><span class="nb">set</span><span class="w"> </span>my-network<span class="w"> </span>security.acls.default.ingress.action<span class="o">=</span>allow
</pre></div>
</div>
<p class="rubric" id="configure-a-default-action-for-an-instance-ovn-nic-device">Configure a default action for an instance OVN NIC device</p>
<p>To set the default action for an instance OVN NIC’s egress or ingress traffic, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>config<span class="w"> </span>device<span class="w"> </span><span class="nb">set</span><span class="w"> </span><instance-name><span class="w"> </span><NIC-name><span class="w"> </span>security.acls.default.<egress<span class="p">|</span>ingress>.action<span class="o">=</span><allow<span class="p">|</span>reject<span class="p">|</span>drop>
</pre></div>
</div>
<p class="rubric" id="id11">Example</p>
<p>To set the default action for inbound traffic to <code class="docutils literal notranslate"><span class="pre">allow</span></code> for the <code class="docutils literal notranslate"><span class="pre">my-ovn-nic</span></code> device of <code class="docutils literal notranslate"><span class="pre">my-instance</span></code>, run:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>config<span class="w"> </span>device<span class="w"> </span><span class="nb">set</span><span class="w"> </span>my-instance<span class="w"> </span>my-ovn-nic<span class="w"> </span>security.acls.default.ingress.action<span class="o">=</span>allow
</pre></div>
</div>
</div><div aria-labelledby="tab-12-QVBJ" class="sphinx-tabs-panel group-tab" hidden="true" id="panel-12-QVBJ" name="QVBJ" role="tabpanel" tabindex="0"><p class="rubric" id="id12">Configure a default action for a network</p>
<p>To set the default action for a network’s egress or ingress traffic, query the <a class="reference external" href="/api/#/networks/network_patch"><code class="docutils literal notranslate"><span class="pre">PATCH</span> <span class="pre">/1.0/networks/{network-name}</span></code></a> endpoint:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/networks/<span class="o">{</span>network-name<span class="o">}</span><span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "config": {</span>
<span class="s1"> "security.acls.default.egress.action": "<allow|reject|drop>",</span>
<span class="s1"> "security.acls.default.ingress.action": "<allow|reject|drop>",</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
<p class="rubric" id="id13">Example</p>
<p>Set the <code class="docutils literal notranslate"><span class="pre">my-network</span></code> network’s default egress action to <code class="docutils literal notranslate"><span class="pre">allow</span></code>:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/networks/my-network<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "config": {</span>
<span class="s1"> "security.acls.default.egress.action": "allow"</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
<p class="rubric" id="configure-a-default-action-for-an-instance-s-ovn-nic-device">Configure a default action for an instance’s OVN NIC device</p>
<p>To set the default action for an instance’s OVN NIC’s traffic, query the <a class="reference external" href="/api/#/instances/instance_patch"><code class="docutils literal notranslate"><span class="pre">PATCH</span> <span class="pre">/1.0/instances/{instance-name}</span></code></a> endpoint:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/instances/<span class="o">{</span>instance-name<span class="o">}</span><span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "devices": {</span>
<span class="s1"> "<NIC-name>": {</span>
<span class="s1"> "network": <network-name>,</span>
<span class="s1"> "type": "nic",</span>
<span class="s1"> "security.acls.default.<egress|ingress>.action": "<allow|reject|drop>"</span>
<span class="s1"> <other-options></span>
<span class="s1"> }</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
<p>The <code class="docutils literal notranslate"><span class="pre">type</span></code> and <code class="docutils literal notranslate"><span class="pre">network</span></code> options are required in the body (see: <a class="reference internal" href="../instances_configure/#instances-configure-devices-api-required"><span class="std std-ref">Required device options</span></a>).</p>
<div class="admonition caution">
<p class="admonition-title">Caution</p>
<p>Patching an instance device’s configuration unsets any options for that device omitted from the PATCH request body. For more information, see <a class="reference internal" href="../instances_configure/#instances-configure-devices-api-patch-effects"><span class="std std-ref">Effects of patching device options</span></a>.</p>
</div>
<p class="rubric" id="id14">Example</p>
<p>This request sets the default action for inbound traffic to <code class="docutils literal notranslate"><span class="pre">allow</span></code> for the <code class="docutils literal notranslate"><span class="pre">my-ovn-nic</span></code> device of <code class="docutils literal notranslate"><span class="pre">my-instance</span></code>:</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>lxc<span class="w"> </span>query<span class="w"> </span>--request<span class="w"> </span>PATCH<span class="w"> </span>/1.0/instances/my-instance<span class="w"> </span>--data<span class="w"> </span><span class="s1">'{</span>
<span class="s1"> "devices": {</span>
<span class="s1"> "my-ovn-nic": {</span>
<span class="s1"> "network": "my-network",</span>
<span class="s1"> "type": "nic",</span>
<span class="s1"> "security.acls.default.ingress.action": "allow"</span>
<span class="s1"> }</span>
<span class="s1"> }</span>
<span class="s1">}'</span>
</pre></div>
</div>
</div></div>
</section>
<section id="bridge-limitations">
<span id="network-acls-bridge-limitations"></span><h2>Bridge limitations<a class="headerlink" href="#bridge-limitations" title="Link to this heading">¶</a></h2>
<p>When using network ACLs with a bridge network, be aware of the following limitations:</p>
<ul class="simple">
<li><p>Unlike OVN ACLs, bridge ACLs apply only at the boundary between the bridge and the LXD host. This means they can enforce network policies only for traffic entering or leaving the host. <spellexception>Intra-bridge</spellexception> firewalls (rules controlling traffic between instances on the same bridge) are not supported.</p></li>
<li><p><a class="reference internal" href="#network-acls-selectors"><span class="std std-ref">ACL groups and network selectors</span></a> are not supported.</p></li>
<li><p>If you’re using the <code class="docutils literal notranslate"><span class="pre">iptables</span></code> firewall driver, you cannot use IP range subjects (such as <code class="docutils literal notranslate"><span class="pre">192.0.2.1-192.0.2.10</span></code>).</p></li>
<li><p>Baseline network service rules are added before ACL rules in their respective INPUT/OUTPUT chains. Because we cannot differentiate between INPUT/OUTPUT and FORWARD traffic after jumping into the ACL chain, ACL rules cannot block these baseline rules.</p></li>
</ul>
</section>
</section>
</article>
</div>
<footer>
<div class="related-pages">
<a class="next-page" href="../network_forwards/">
<div class="page-info">
<div class="context">
<span>Next</span>
</div>
<div class="title">How to configure network forwards</div>
</div>
<svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
</a>
<a class="prev-page" href="../network_bgp/">
<svg class="furo-related-icon"><use href="#svg-arrow-right"></use></svg>
<div class="page-info">
<div class="context">
<span>Previous</span>
</div>
<div class="title">How to configure LXD as a BGP server</div>
</div>
</a>
</div>
<div class="bottom-of-page">
<div class="left-details">
<div class="copyright">
© 2014-2026 AGPL-3.0, LXD contributors
</div><div class="last-updated">
Last updated on Feb 13, 2026</div>
</div>
<div class="right-details">
<a href="" class="js-revoke-cookie-manager muted-link">Manage your tracker settings</a>
</div>
</footer>
</div>
<aside class="toc-drawer">
<div class="toc-sticky toc-scroll">
<div class="toc-title-container">
<span class="toc-title">
Contents
</span>
</div>
<div class="toc-tree-container">
<div class="toc-tree">
<ul>
<li><a class="reference internal" href="#">How to configure network ACLs</a><ul>
<li><a class="reference internal" href="#list-acls">List ACLs</a></li>
<li><a class="reference internal" href="#show-an-acl">Show an ACL</a></li>
<li><a class="reference internal" href="#create-an-acl">Create an ACL</a><ul>
<li><a class="reference internal" href="#name-requirements">Name requirements</a></li>
<li><a class="reference internal" href="#instructions">Instructions</a></li>
<li><a class="reference internal" href="#acl-properties">ACL properties</a></li>
</ul>
</li>
<li><a class="reference internal" href="#acl-rules">ACL rules</a><ul>
<li><a class="reference internal" href="#add-a-rule">Add a rule</a></li>
<li><a class="reference internal" href="#remove-a-rule">Remove a rule</a></li>
<li><a class="reference internal" href="#edit-a-rule">Edit a rule</a></li>
<li><a class="reference internal" href="#rule-ordering-and-application-of-actions">Rule ordering and application of actions</a></li>
<li><a class="reference internal" href="#rule-properties">Rule properties</a></li>
<li><a class="reference internal" href="#use-selectors-in-rules">Use selectors in rules</a><ul>
<li><a class="reference internal" href="#subject-name-selectors-acl-groups">Subject name selectors (ACL groups)</a></li>
<li><a class="reference internal" href="#network-subject-selectors">Network subject selectors</a></li>
</ul>
</li>
<li><a class="reference internal" href="#log-traffic">Log traffic</a><ul>
<li><a class="reference internal" href="#view-logs">View logs</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#edit-an-acl">Edit an ACL</a><ul>
<li><a class="reference internal" href="#rename-an-acl">Rename an ACL</a></li>
<li><a class="reference internal" href="#edit-other-properties">Edit other properties</a></li>
<li><a class="reference internal" href="#edit-a-custom-user-key-via-patch-api">Edit a custom user key via PATCH API</a><ul>
<li><a class="reference internal" href="#id5">Example</a></li>
</ul>
</li>
</ul>
</li>
<li><a class="reference internal" href="#delete-an-acl">Delete an ACL</a></li>
<li><a class="reference internal" href="#assign-an-acl">Assign an ACL</a><ul>
<li><a class="reference internal" href="#assign-an-acl-to-a-bridge-or-ovn-network">Assign an ACL to a bridge or OVN network</a></li>
<li><a class="reference internal" href="#assign-an-acl-to-the-ovn-nic-of-an-instance">Assign an ACL to the OVN NIC of an instance</a></li>
<li><a class="reference internal" href="#additional-options">Additional options</a></li>
</ul>
</li>
<li><a class="reference internal" href="#configure-default-actions">Configure default actions</a></li>
<li><a class="reference internal" href="#bridge-limitations">Bridge limitations</a></li>
</ul>
</li>
</ul>
</div>
</div>
<div class="relatedlinks-title-container">
<span class="relatedlinks-title">
Related links
</span>
</div>
<div class="relatedlinks-container">
<div class="relatedlinks">
<ul><li><a href="https://discuss.linuxcontainers.org/t/13223" target="_blank">Network ACL logging</a></li></ul>
</div>
</div>
</div>
</aside>
</div>
</div><script src="../../_static/jquery.js?v=5d32c60e"></script>
<script src="../../_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="../../_static/documentation_options.js?v=a5603611"></script>
<script src="../../_static/doctools.js?v=9a2dae69"></script>
<script src="../../_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="../../_static/scripts/furo.js?v=46bd48cc"></script>
<script src="../../_static/clipboard.min.js?v=a7894cd8"></script>
<script src="../../_static/copybutton.js?v=b01cb6f2"></script>
<script src="../../_static/config-options.js"></script>
<script src="../../_static/design-tabs.js?v=f930bc37"></script>
<script src="../../_static/tabs.js?v=3030b3cb"></script>
<script src="../../_static/js/bundle.js?v=a4d88309"></script>
<script src="../../_static/header-nav.js?v=e117ad08"></script>
<script src="../../_static/github_issue_links.js?v=32bb732f"></script>
<script>
const github_url = "https://github.com/canonical/lxd";
</script>
</body>
</html>