From 120505928456d1760f99193be18ed369fc24d86f Mon Sep 17 00:00:00 2001
From: Andrew Yourtchenko <ayourtch@gmail.com>
Date: Wed, 8 Jan 2020 05:22:20 +0000
Subject: acl: add FEATURE.yaml

Change-Id: If6f13e7962c27f35528058224928def927fff19f
Type: docs
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
---
 src/plugins/acl/FEATURE.yaml | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)
 create mode 100644 src/plugins/acl/FEATURE.yaml

diff --git a/src/plugins/acl/FEATURE.yaml b/src/plugins/acl/FEATURE.yaml
new file mode 100644
index 00000000000..81166cfb5a0
--- /dev/null
+++ b/src/plugins/acl/FEATURE.yaml
@@ -0,0 +1,26 @@
+---
+name: ACLs for Security Groups
+maintainer: Andrew Yourtchenko <ayourtch@gmail.com>
+features:
+  - Inbound MACIP ACLs:
+      - filter the source IP:MAC address statically configured bindings
+  - Stateless inbound and outbound ACLs:
+      - permit/deny packets based on their L3/L4 info
+  - Stateful inbound and outbound ACLs:
+      - create inbound sessions based on outbound traffic and vice versa
+
+description: |-
+        The ACL plugin allows to implement access control policies
+        at the levels of IP address ownership (by locking down
+        the IP-MAC associations by MACIP ACLs), and by using network
+        and transport level policies in inbound and outbound ACLs.
+        For non-initial fragments the matching is done on network
+        layer only. The session state in stateful ACLs is maintained
+        per-interface (e.g. outbound interface ACL creates the session
+        while inbound ACL matches it), which simplifies the design
+        and operation. For TCP handling, the session processing
+        tracks "established" (seen both SYN segments and seen ACKs for them),
+        and "transient" (all the other TCP states) sessions.
+
+state: production
+properties: [API, CLI, STATS, MULTITHREAD]
-- 
cgit 1.2.3-korg