--- name: ACLs for Security Groups maintainer: Andrew Yourtchenko <ayourtch@gmail.com> features: - Inbound MACIP ACLs: - filter the source IP:MAC address statically configured bindings - Stateless inbound and outbound ACLs: - permit/deny packets based on their L3/L4 info - Stateful inbound and outbound ACLs: - create inbound sessions based on outbound traffic and vice versa description: |- The ACL plugin allows to implement access control policies at the levels of IP address ownership (by locking down the IP-MAC associations by MACIP ACLs), and by using network and transport level policies in inbound and outbound ACLs. For non-initial fragments the matching is done on network layer only. The session state in stateful ACLs is maintained per-interface (e.g. outbound interface ACL creates the session while inbound ACL matches it), which simplifies the design and operation. For TCP handling, the session processing tracks "established" (seen both SYN segments and seen ACKs for them), and "transient" (all the other TCP states) sessions. state: production properties: [API, CLI, STATS, MULTITHREAD]