-The application defines two ACLs, one each of Inbound and Outbound, and
-it replicates them per socket in use.
-
-Following are the default rules:
-
-Endpoint 0 Outbound Security Policies:
-
-+---------+------------------+-----------+------------+
-| **Src** | **Dst** | **proto** | **SA idx** |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.105.0/24 | Any | 5 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.106.0/24 | Any | 6 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.107.0/24 | Any | 7 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.108.0/24 | Any | 8 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.200.0/24 | Any | 9 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.250.0/24 | Any | BYPASS |
-| | | | |
-+---------+------------------+-----------+------------+
-
-Endpoint 0 Inbound Security Policies:
-
-+---------+------------------+-----------+------------+
-| **Src** | **Dst** | **proto** | **SA idx** |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.115.0/24 | Any | 5 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.116.0/24 | Any | 6 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.117.0/24 | Any | 7 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.118.0/24 | Any | 8 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.210.0/24 | Any | 9 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.240.0/24 | Any | BYPASS |
-| | | | |
-+---------+------------------+-----------+------------+
-
-Endpoint 1 Outbound Security Policies:
-
-+---------+------------------+-----------+------------+
-| **Src** | **Dst** | **proto** | **SA idx** |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.115.0/24 | Any | 5 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.116.0/24 | Any | 6 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.117.0/24 | Any | 7 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.118.0/24 | Any | 8 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.210.0/24 | Any | 9 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.240.0/24 | Any | BYPASS |
-| | | | |
-+---------+------------------+-----------+------------+
-
-Endpoint 1 Inbound Security Policies:
-
-+---------+------------------+-----------+------------+
-| **Src** | **Dst** | **proto** | **SA idx** |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.105.0/24 | Any | 5 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.106.0/24 | Any | 6 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.107.0/24 | Any | 7 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.108.0/24 | Any | 8 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.200.0/24 | Any | 9 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.250.0/24 | Any | BYPASS |
-| | | | |
-+---------+------------------+-----------+------------+
-
-
-Security Association Initialization
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The SAs are kept in a array table.
-
-For Inbound, the SPI is used as index module the table size.
-This means that on a table for 100 SA, SPI 5 and 105 would use the same index
-and that is not currently supported.
-
-Notice that it is not an issue for Outbound traffic as we store the index and
-not the SPI in the Security Policy.
-
-All SAs configured with AES-CBC and HMAC-SHA1 share the same values for cipher
-block size and key, and authentication digest size and key.
-
-Following are the default values:
-
-Endpoint 0 Outbound Security Associations:
-
-+---------+------------+-----------+----------------+------------------+
-| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-
-Endpoint 0 Inbound Security Associations:
-
-+---------+------------+-----------+----------------+------------------+
-| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-
-Endpoint 1 Outbound Security Associations:
-
-+---------+------------+-----------+----------------+------------------+
-| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-
-Endpoint 1 Inbound Security Associations:
-
-+---------+------------+-----------+----------------+------------------+
-| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-
-Routing Initialization
-~~~~~~~~~~~~~~~~~~~~~~
-
-The Routing is implemented using LPM table.
-
-Following default values:
-
-Endpoint 0 Routing Table:
-
-+------------------+----------+
-| **Dst addr** | **Port** |
-| | |
-+------------------+----------+
-| 172.16.2.5/32 | 0 |
-| | |
-+------------------+----------+
-| 172.16.2.6/32 | 0 |
-| | |
-+------------------+----------+
-| 172.16.2.7/32 | 1 |
-| | |
-+------------------+----------+
-| 172.16.2.8/32 | 1 |
-| | |
-+------------------+----------+
-| 192.168.115.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.116.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.117.0/24 | 3 |
-| | |
-+------------------+----------+
-| 192.168.118.0/24 | 3 |
-| | |
-+------------------+----------+
-| 192.168.210.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.240.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.250.0/24 | 0 |
-| | |
-+------------------+----------+
-
-Endpoint 1 Routing Table:
-
-+------------------+----------+
-| **Dst addr** | **Port** |
-| | |
-+------------------+----------+
-| 172.16.1.5/32 | 2 |
-| | |
-+------------------+----------+
-| 172.16.1.6/32 | 2 |
-| | |
-+------------------+----------+
-| 172.16.1.7/32 | 3 |
-| | |
-+------------------+----------+
-| 172.16.1.8/32 | 3 |
-| | |
-+------------------+----------+
-| 192.168.105.0/24 | 0 |
-| | |
-+------------------+----------+
-| 192.168.106.0/24 | 0 |
-| | |
-+------------------+----------+
-| 192.168.107.0/24 | 1 |
-| | |
-+------------------+----------+
-| 192.168.108.0/24 | 1 |
-| | |
-+------------------+----------+
-| 192.168.200.0/24 | 0 |
-| | |
-+------------------+----------+
-| 192.168.240.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.250.0/24 | 0 |
-| | |
-+------------------+----------+
+The application parsers the rules specified in the configuration file and
+passes them to the ACL table, and replicates them per socket in use.
+
+Following are the configuration file syntax.
+
+General rule syntax
+^^^^^^^^^^^^^^^^^^^
+
+The parse treats one line in the configuration file as one configuration
+item (unless the line concatenation symbol exists). Every configuration
+item shall follow the syntax of either SP, SA, or Routing rules specified
+below.
+
+The configuration parser supports the following special symbols:
+
+ * Comment symbol **#**. Any character from this symbol to the end of
+ line is treated as comment and will not be parsed.
+
+ * Line concatenation symbol **\\**. This symbol shall be placed in the end
+ of the line to be concatenated to the line below. Multiple lines'
+ concatenation is supported.
+
+
+SP rule syntax
+^^^^^^^^^^^^^^
+
+The SP rule syntax is shown as follows:
+
+.. code-block:: console
+
+ sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip>
+ <proto> <sport> <dport>
+
+
+where each options means:
+
+``<ip_ver>``
+
+ * IP protocol version
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4*: IP protocol version 4
+ * *ipv6*: IP protocol version 6
+
+``<dir>``
+
+ * The traffic direction
+
+ * Optional: No
+
+ * Available options:
+
+ * *in*: inbound traffic
+ * *out*: outbound traffic
+
+``<action>``
+
+ * IPsec action
+
+ * Optional: No
+
+ * Available options:
+
+ * *protect <SA_idx>*: the specified traffic is protected by SA rule
+ with id SA_idx
+ * *bypass*: the specified traffic traffic is bypassed
+ * *discard*: the specified traffic is discarded
+
+``<priority>``
+
+ * Rule priority
+
+ * Optional: Yes, default priority 0 will be used
+
+ * Syntax: *pri <id>*
+
+``<src_ip>``
+
+ * The source IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X/Y* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X/Y* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<proto>``
+
+ * The protocol start and end range
+
+ * Optional: yes, default range of 0 to 0 will be used
+
+ * Syntax: *proto X:Y*
+
+``<sport>``
+
+ * The source port start and end range
+
+ * Optional: yes, default range of 0 to 0 will be used
+
+ * Syntax: *sport X:Y*
+
+``<dport>``
+
+ * The destination port start and end range
+
+ * Optional: yes, default range of 0 to 0 will be used
+
+ * Syntax: *dport X:Y*
+
+Example SP rules:
+
+.. code-block:: console
+
+ sp ipv4 out esp protect 105 pri 1 dst 192.168.115.0/24 sport 0:65535 \
+ dport 0:65535
+
+ sp ipv6 in esp bypass pri 1 dst 0000:0000:0000:0000:5555:5555:\
+ 0000:0000/96 sport 0:65535 dport 0:65535
+
+
+SA rule syntax
+^^^^^^^^^^^^^^
+
+The successfully parsed SA rules will be stored in an array table.
+
+The SA rule syntax is shown as follows:
+
+.. code-block:: console
+
+ sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
+ <mode> <src_ip> <dst_ip>
+
+where each options means:
+
+``<dir>``
+
+ * The traffic direction
+
+ * Optional: No
+
+ * Available options:
+
+ * *in*: inbound traffic
+ * *out*: outbound traffic
+
+``<spi>``
+
+ * The SPI number
+
+ * Optional: No
+
+ * Syntax: unsigned integer number
+
+``<cipher_algo>``
+
+ * Cipher algorithm
+
+ * Optional: No
+
+ * Available options:
+
+ * *null*: NULL algorithm
+ * *aes-128-cbc*: AES-CBC 128-bit algorithm
+ * *aes-128-ctr*: AES-CTR 128-bit algorithm
+ * *aes-128-gcm*: AES-GCM 128-bit algorithm
+
+ * Syntax: *cipher_algo <your algorithm>*
+
+``<cipher_key>``
+
+ * Cipher key, NOT available when 'null' algorithm is used
+
+ * Optional: No, must followed by <cipher_algo> option
+
+ * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
+ The number of bytes should be as same as the specified cipher algorithm
+ key size.
+
+ For example: *cipher_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
+ A1:B2:C3:D4*
+
+``<auth_algo>``
+
+ * Authentication algorithm
+
+ * Optional: No
+
+ * Available options:
+
+ * *null*: NULL algorithm
+ * *sha1-hmac*: HMAC SHA1 algorithm
+ * *aes-128-gcm*: AES-GCM 128-bit algorithm
+
+``<auth_key>``
+
+ * Authentication key, NOT available when 'null' or 'aes-128-gcm' algorithm
+ is used.
+
+ * Optional: No, must followed by <auth_algo> option
+
+ * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
+ The number of bytes should be as same as the specified authentication
+ algorithm key size.
+
+ For example: *auth_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
+ A1:B2:C3:D4*
+
+``<mode>``
+
+ * The operation mode
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4-tunnel*: Tunnel mode for IPv4 packets
+ * *ipv6-tunnel*: Tunnel mode for IPv6 packets
+ * *transport*: transport mode
+
+ * Syntax: mode XXX
+
+``<src_ip>``
+
+ * The source IP address. This option is not available when
+ transport mode is used
+
+ * Optional: Yes, default address 0.0.0.0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address. This option is not available when
+ transport mode is used
+
+ * Optional: Yes, default address 0.0.0.0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX* for IPv6
+
+Example SA rules:
+
+.. code-block:: console
+
+ sa out 5 cipher_algo null auth_algo null mode ipv4-tunnel \
+ src 172.16.1.5 dst 172.16.2.5
+
+ sa out 25 cipher_algo aes-128-cbc \
+ cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3 \
+ auth_algo sha1-hmac \
+ auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3 \
+ mode ipv6-tunnel \
+ src 1111:1111:1111:1111:1111:1111:1111:5555 \
+ dst 2222:2222:2222:2222:2222:2222:2222:5555
+
+ sa in 105 cipher_algo aes-128-gcm \
+ cipher_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+ auth_algo aes-128-gcm \
+ mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
+
+Routing rule syntax
+^^^^^^^^^^^^^^^^^^^
+
+The Routing rule syntax is shown as follows:
+
+.. code-block:: console
+
+ rt <ip_ver> <src_ip> <dst_ip> <port>
+
+
+where each options means:
+
+``<ip_ver>``
+
+ * IP protocol version
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4*: IP protocol version 4
+ * *ipv6*: IP protocol version 6
+
+``<src_ip>``
+
+ * The source IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X/Y* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X/Y* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<port>``
+
+ * The traffic output port id
+
+ * Optional: yes, default output port 0 will be used
+
+ * Syntax: *port X*
+
+Example SP rules:
+
+.. code-block:: console
+
+ rt ipv4 dst 172.16.1.5/32 port 0
+
+ rt ipv6 dst 1111:1111:1111:1111:1111:1111:1111:5555/116 port 0