summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2020-01-08 05:22:20 +0000
committerOle Trøan <otroan@employees.org>2020-01-08 11:36:31 +0000
commit120505928456d1760f99193be18ed369fc24d86f (patch)
tree4f804d18bcedbc1c61d92404e7c286758fe7387a /src
parent5dfc03f110fd2ea742495c2ca755dfc511a024c9 (diff)
acl: add FEATURE.yaml
Change-Id: If6f13e7962c27f35528058224928def927fff19f Type: docs Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Diffstat (limited to 'src')
-rw-r--r--src/plugins/acl/FEATURE.yaml26
1 files changed, 26 insertions, 0 deletions
diff --git a/src/plugins/acl/FEATURE.yaml b/src/plugins/acl/FEATURE.yaml
new file mode 100644
index 00000000000..81166cfb5a0
--- /dev/null
+++ b/src/plugins/acl/FEATURE.yaml
@@ -0,0 +1,26 @@
+---
+name: ACLs for Security Groups
+maintainer: Andrew Yourtchenko <ayourtch@gmail.com>
+features:
+ - Inbound MACIP ACLs:
+ - filter the source IP:MAC address statically configured bindings
+ - Stateless inbound and outbound ACLs:
+ - permit/deny packets based on their L3/L4 info
+ - Stateful inbound and outbound ACLs:
+ - create inbound sessions based on outbound traffic and vice versa
+
+description: |-
+ The ACL plugin allows to implement access control policies
+ at the levels of IP address ownership (by locking down
+ the IP-MAC associations by MACIP ACLs), and by using network
+ and transport level policies in inbound and outbound ACLs.
+ For non-initial fragments the matching is done on network
+ layer only. The session state in stateful ACLs is maintained
+ per-interface (e.g. outbound interface ACL creates the session
+ while inbound ACL matches it), which simplifies the design
+ and operation. For TCP handling, the session processing
+ tracks "established" (seen both SYN segments and seen ACKs for them),
+ and "transient" (all the other TCP states) sessions.
+
+state: production
+properties: [API, CLI, STATS, MULTITHREAD]