Currently when applying ACLs, Incus will first apply all drop/reject, then apply the allow rules and finally the policy which defaults to reject.

That's a good order for this particular case as it allows having wide allow rules with narrow reject/drop rules to block a subset of what's allowed, then the policy rejects the rest.

But this apply order isn't a good fit when the default policy is allow as in that situation one would likely have pretty broad reject/drop rules and so want the allow rules applied first to allow a subset of what would otherwise be denied by broader reject/drop rules.

So we should change our default apply order to match, basically reversing the order if the default action is allow.