acl: add FEATURE.yaml

Change-Id: If6f13e7962c27f35528058224928def927fff19f
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>

1 files changed, 26 insertions, 0 deletions

diff --git a/src/plugins/acl/FEATURE.yaml b/src/plugins/acl/FEATURE.yaml
new file mode 100644
index 00000000000..81166cfb5a0
--- /dev/null
+++ b/src/plugins/acl/FEATURE.yaml
@@ -0,0 +1,26 @@
+---
+name: ACLs for Security Groups
+maintainer: Andrew Yourtchenko <ayourtch@gmail.com>
+features:
+  - Inbound MACIP ACLs:
+      - filter the source IP:MAC address statically configured bindings
+  - Stateless inbound and outbound ACLs:
+      - permit/deny packets based on their L3/L4 info
+  - Stateful inbound and outbound ACLs:
+      - create inbound sessions based on outbound traffic and vice versa
+
+description: |-
+        The ACL plugin allows to implement access control policies
+        at the levels of IP address ownership (by locking down
+        the IP-MAC associations by MACIP ACLs), and by using network
+        and transport level policies in inbound and outbound ACLs.
+        For non-initial fragments the matching is done on network
+        layer only. The session state in stateful ACLs is maintained
+        per-interface (e.g. outbound interface ACL creates the session
+        while inbound ACL matches it), which simplifies the design
+        and operation. For TCP handling, the session processing
+        tracks "established" (seen both SYN segments and seen ACKs for them),
+        and "transient" (all the other TCP states) sessions.
+
+state: production
+properties: [API, CLI, STATS, MULTITHREAD]