+---
+name: ACLs for Security Groups
+maintainer: Andrew Yourtchenko <ayourtch@gmail.com>
+features:
+ - Inbound MACIP ACLs:
+ - filter the source IP:MAC address statically configured bindings
+ - Stateless inbound and outbound ACLs:
+ - permit/deny packets based on their L3/L4 info
+ - Stateful inbound and outbound ACLs:
+ - create inbound sessions based on outbound traffic and vice versa
+
+description: |-
+ The ACL plugin allows to implement access control policies
+ at the levels of IP address ownership (by locking down
+ the IP-MAC associations by MACIP ACLs), and by using network
+ and transport level policies in inbound and outbound ACLs.
+ For non-initial fragments the matching is done on network
+ layer only. The session state in stateful ACLs is maintained
+ per-interface (e.g. outbound interface ACL creates the session
+ while inbound ACL matches it), which simplifies the design
+ and operation. For TCP handling, the session processing
+ tracks "established" (seen both SYN segments and seen ACKs for them),
+ and "transient" (all the other TCP states) sessions.
+
+state: production
+properties: [API, CLI, STATS, MULTITHREAD]