2 name: ACLs for Security Groups
3 maintainer: Andrew Yourtchenko <ayourtch@gmail.com>
6 - filter the source IP:MAC address statically configured bindings
7 - Stateless inbound and outbound ACLs:
8 - permit/deny packets based on their L3/L4 info
9 - Stateful inbound and outbound ACLs:
10 - create inbound sessions based on outbound traffic and vice versa
13 The ACL plugin allows to implement access control policies
14 at the levels of IP address ownership (by locking down
15 the IP-MAC associations by MACIP ACLs), and by using network
16 and transport level policies in inbound and outbound ACLs.
17 For non-initial fragments the matching is done on network
18 layer only. The session state in stateful ACLs is maintained
19 per-interface (e.g. outbound interface ACL creates the session
20 while inbound ACL matches it), which simplifies the design
21 and operation. For TCP handling, the session processing
22 tracks "established" (seen both SYN segments and seen ACKs for them),
23 and "transient" (all the other TCP states) sessions.
26 properties: [API, CLI, STATS, MULTITHREAD]