diff options
author | Andrew Yourtchenko <ayourtch@gmail.com> | 2020-01-08 05:22:20 +0000 |
---|---|---|
committer | Ole Trøan <otroan@employees.org> | 2020-01-08 11:36:31 +0000 |
commit | 120505928456d1760f99193be18ed369fc24d86f (patch) | |
tree | 4f804d18bcedbc1c61d92404e7c286758fe7387a /src/plugins/acl | |
parent | 5dfc03f110fd2ea742495c2ca755dfc511a024c9 (diff) |
acl: add FEATURE.yaml
Change-Id: If6f13e7962c27f35528058224928def927fff19f
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Diffstat (limited to 'src/plugins/acl')
-rw-r--r-- | src/plugins/acl/FEATURE.yaml | 26 |
1 files changed, 26 insertions, 0 deletions
diff --git a/src/plugins/acl/FEATURE.yaml b/src/plugins/acl/FEATURE.yaml new file mode 100644 index 00000000000..81166cfb5a0 --- /dev/null +++ b/src/plugins/acl/FEATURE.yaml @@ -0,0 +1,26 @@ +--- +name: ACLs for Security Groups +maintainer: Andrew Yourtchenko <ayourtch@gmail.com> +features: + - Inbound MACIP ACLs: + - filter the source IP:MAC address statically configured bindings + - Stateless inbound and outbound ACLs: + - permit/deny packets based on their L3/L4 info + - Stateful inbound and outbound ACLs: + - create inbound sessions based on outbound traffic and vice versa + +description: |- + The ACL plugin allows to implement access control policies + at the levels of IP address ownership (by locking down + the IP-MAC associations by MACIP ACLs), and by using network + and transport level policies in inbound and outbound ACLs. + For non-initial fragments the matching is done on network + layer only. The session state in stateful ACLs is maintained + per-interface (e.g. outbound interface ACL creates the session + while inbound ACL matches it), which simplifies the design + and operation. For TCP handling, the session processing + tracks "established" (seen both SYN segments and seen ACKs for them), + and "transient" (all the other TCP states) sessions. + +state: production +properties: [API, CLI, STATS, MULTITHREAD] |