I understand that many iptables features (connection tracking, etc...) are not supported by the underlying switching hardware on switches running Cumulus Linux.
It feels like I should still be able to use these features to protect the control plane, but I'm finding that cl-acltool is refusing to install them.
Perhaps there's a different way (something other than /etc/cumulus/acl/policy.d) to get these rules installed?
Maybe I'm confused and these features can't be used, even on the INPUT/OUTPUT chains?
How else are people protecting (filtering, not CoPP) TCP listeners exposed by the control plane? I see that sshd is compiled with libwrap, but I'd feel better with something that's universally applicable (bgpd does not have libwrap) and runs a bit lower in the stack.