Vlan 1118 (cloud-hosts1-eqiad) in eqiad is used to connect physical servers deployed for WMCS to production networks. Specifically this network is for physical hosts providing the virtualization layer, connected on a separate physical interface than the internal cloud networks / those for VM guests. It's the "management network" described in case 4 here:
Currently the gateway for this Vlan is the CR routers in eqiad. These have an ACL/filter applied to restrict traffic coming from cloud hosts ("labs-v4" and "labs-v6"). During the recent work to move filters to Capirca it became clear a thorough review of these lists was warranted.
Is filtering required?
The cloud hosts themselves are responsible for isolation of guest VM and internal networks, and thus only trusted traffic from properly secured hosts under WMF control should arrive on this vlan. It is not unreasonable to conclude that no filter is required on these interfaces for that reason.
That said the CR routers do represent a control point, and security-in-depth is good practice, so it probably makes sense to deploy some filtering at that point. A balance between sensible security, convenience for the cloud team and level of maintenance for netops should probably be struck.
uRPF
WMF has used strict uRPF filtering on certain interfaces before (see T266561). It may make sense to enable it on the sub-interfaces for this Vlan also, which might also simplify the ruleset needed in the filter.