Add support for stateless rules in network ACLs

[stgraber]

Currently all ACL rules are assumed to be stateful.

That's certainly fine as a default as stateless firewalling can be a bit tricky to get right, but for very high throughput/pps applications, it's a very useful tool and so should be supported.

[stgraber]

We can do this by adding a new allow-stateless action which in the OVN case makes us use allow-stateless rather than the current allow-related.

[christina-zh]

Im interested in working on this issue, can I be assigned to it please?

[stgraber]

For this one, you're going to want to:

• Add an API extension string for the change (say network_acl_stateless)
• Add the new value to the list in doc/howto/network_acls.md
• Add it to ValidActions in internal/server/network/acl/driver_common.go
• Add it to ovnRuleCriteriaToOVNACLRule in internal/server/network/acl/acl_ovn.go (and remove the TODO). The priority remains PortGroupAllow, it's just the action that will differ
• Add logic to internal/server/network/acl/acl_firewall.go to map a stateless ACL to a normal allowRule (with a TODO comment to add NOTRACK support later)

And I think that should be it to get this working.

Expected commit list based on the above should be:

• api: Add network_acl_stateless
• doc/network_acl: Add allow-stateless action
• incusd/network/acl: Add allow-stateless action

Testing this locally won't be the easiest unfortunately as you'd need to first get a working Incus setup, then also install OVN and set that up.
https://linuxcontainers.org/incus/docs/main/howto/network_ovn_setup/#network-ovn-setup should help if you want to do that.

Though the issue is likely simple enough that you should be able to do it blind and I'll then test it for you on a proper OVN cluster.

[atomus1990]

Stateless is supported for strictly for OVN networks? Or is supported for Bridge networks also?

[stgraber]

Only OVN at this time