Trust Domains: ingress policies

[caubut-charter]

Problem description
Was raised API consumers may want ingress policies in addition to existing egress policies.

Possible evolution
Likely mirror the final format for egress policies.

Alternative solution
Look at other standards for ACL definitions to mirror.

Additional context
Use case: DDoS protection.