-The application defines two ACLs, one each of Inbound and Outbound, and
-it replicates them per socket in use.
-
-Following are the default rules:
-
-Endpoint 0 Outbound Security Policies:
-
-+---------+------------------+-----------+------------+
-| **Src** | **Dst** | **proto** | **SA idx** |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.105.0/24 | Any | 5 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.106.0/24 | Any | 6 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.107.0/24 | Any | 7 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.108.0/24 | Any | 8 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.200.0/24 | Any | 9 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.250.0/24 | Any | BYPASS |
-| | | | |
-+---------+------------------+-----------+------------+
-
-Endpoint 0 Inbound Security Policies:
-
-+---------+------------------+-----------+------------+
-| **Src** | **Dst** | **proto** | **SA idx** |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.115.0/24 | Any | 5 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.116.0/24 | Any | 6 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.117.0/24 | Any | 7 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.118.0/24 | Any | 8 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.210.0/24 | Any | 9 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.240.0/24 | Any | BYPASS |
-| | | | |
-+---------+------------------+-----------+------------+
-
-Endpoint 1 Outbound Security Policies:
-
-+---------+------------------+-----------+------------+
-| **Src** | **Dst** | **proto** | **SA idx** |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.115.0/24 | Any | 5 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.116.0/24 | Any | 6 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.117.0/24 | Any | 7 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.118.0/24 | Any | 8 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.210.0/24 | Any | 9 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.240.0/24 | Any | BYPASS |
-| | | | |
-+---------+------------------+-----------+------------+
-
-Endpoint 1 Inbound Security Policies:
-
-+---------+------------------+-----------+------------+
-| **Src** | **Dst** | **proto** | **SA idx** |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.105.0/24 | Any | 5 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.106.0/24 | Any | 6 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.107.0/24 | Any | 7 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.108.0/24 | Any | 8 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.200.0/24 | Any | 9 |
-| | | | |
-+---------+------------------+-----------+------------+
-| Any | 192.168.250.0/24 | Any | BYPASS |
-| | | | |
-+---------+------------------+-----------+------------+
-
-
-Security Association Initialization
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The SAs are kept in a array table.
-
-For Inbound, the SPI is used as index module the table size.
-This means that on a table for 100 SA, SPI 5 and 105 would use the same index
-and that is not currently supported.
-
-Notice that it is not an issue for Outbound traffic as we store the index and
-not the SPI in the Security Policy.
-
-All SAs configured with AES-CBC and HMAC-SHA1 share the same values for cipher
-block size and key, and authentication digest size and key.
-
-Following are the default values:
-
-Endpoint 0 Outbound Security Associations:
-
-+---------+------------+-----------+----------------+------------------+
-| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-
-Endpoint 0 Inbound Security Associations:
-
-+---------+------------+-----------+----------------+------------------+
-| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-
-Endpoint 1 Outbound Security Associations:
-
-+---------+------------+-----------+----------------+------------------+
-| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 5 | AES-CBC | HMAC-SHA1 | 172.16.2.5 | 172.16.1.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 6 | AES-CBC | HMAC-SHA1 | 172.16.2.6 | 172.16.1.6 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 7 | AES-CBC | HMAC-SHA1 | 172.16.2.7 | 172.16.1.7 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 8 | AES-CBC | HMAC-SHA1 | 172.16.2.8 | 172.16.1.8 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 9 | NULL | NULL | 172.16.2.5 | 172.16.1.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-
-Endpoint 1 Inbound Security Associations:
-
-+---------+------------+-----------+----------------+------------------+
-| **SPI** | **Cipher** | **Auth** | **Tunnel src** | **Tunnel dst** |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 5 | AES-CBC | HMAC-SHA1 | 172.16.1.5 | 172.16.2.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 6 | AES-CBC | HMAC-SHA1 | 172.16.1.6 | 172.16.2.6 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 7 | AES-CBC | HMAC-SHA1 | 172.16.1.7 | 172.16.2.7 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 8 | AES-CBC | HMAC-SHA1 | 172.16.1.8 | 172.16.2.8 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-| 9 | NULL | NULL | 172.16.1.5 | 172.16.2.5 |
-| | | | | |
-+---------+------------+-----------+----------------+------------------+
-
-Routing Initialization
-~~~~~~~~~~~~~~~~~~~~~~
-
-The Routing is implemented using LPM table.
-
-Following default values:
-
-Endpoint 0 Routing Table:
-
-+------------------+----------+
-| **Dst addr** | **Port** |
-| | |
-+------------------+----------+
-| 172.16.2.5/32 | 0 |
-| | |
-+------------------+----------+
-| 172.16.2.6/32 | 0 |
-| | |
-+------------------+----------+
-| 172.16.2.7/32 | 1 |
-| | |
-+------------------+----------+
-| 172.16.2.8/32 | 1 |
-| | |
-+------------------+----------+
-| 192.168.115.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.116.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.117.0/24 | 3 |
-| | |
-+------------------+----------+
-| 192.168.118.0/24 | 3 |
-| | |
-+------------------+----------+
-| 192.168.210.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.240.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.250.0/24 | 0 |
-| | |
-+------------------+----------+
-
-Endpoint 1 Routing Table:
-
-+------------------+----------+
-| **Dst addr** | **Port** |
-| | |
-+------------------+----------+
-| 172.16.1.5/32 | 2 |
-| | |
-+------------------+----------+
-| 172.16.1.6/32 | 2 |
-| | |
-+------------------+----------+
-| 172.16.1.7/32 | 3 |
-| | |
-+------------------+----------+
-| 172.16.1.8/32 | 3 |
-| | |
-+------------------+----------+
-| 192.168.105.0/24 | 0 |
-| | |
-+------------------+----------+
-| 192.168.106.0/24 | 0 |
-| | |
-+------------------+----------+
-| 192.168.107.0/24 | 1 |
-| | |
-+------------------+----------+
-| 192.168.108.0/24 | 1 |
-| | |
-+------------------+----------+
-| 192.168.200.0/24 | 0 |
-| | |
-+------------------+----------+
-| 192.168.240.0/24 | 2 |
-| | |
-+------------------+----------+
-| 192.168.250.0/24 | 0 |
-| | |
-+------------------+----------+
+The application parsers the rules specified in the configuration file and
+passes them to the ACL table, and replicates them per socket in use.
+
+Following are the configuration file syntax.
+
+General rule syntax
+^^^^^^^^^^^^^^^^^^^
+
+The parse treats one line in the configuration file as one configuration
+item (unless the line concatenation symbol exists). Every configuration
+item shall follow the syntax of either SP, SA, Routing or Neighbour
+rules specified below.
+
+The configuration parser supports the following special symbols:
+
+ * Comment symbol **#**. Any character from this symbol to the end of
+ line is treated as comment and will not be parsed.
+
+ * Line concatenation symbol **\\**. This symbol shall be placed in the end
+ of the line to be concatenated to the line below. Multiple lines'
+ concatenation is supported.
+
+
+SP rule syntax
+^^^^^^^^^^^^^^
+
+The SP rule syntax is shown as follows:
+
+.. code-block:: console
+
+ sp <ip_ver> <dir> esp <action> <priority> <src_ip> <dst_ip>
+ <proto> <sport> <dport>
+
+
+where each options means:
+
+``<ip_ver>``
+
+ * IP protocol version
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4*: IP protocol version 4
+ * *ipv6*: IP protocol version 6
+
+``<dir>``
+
+ * The traffic direction
+
+ * Optional: No
+
+ * Available options:
+
+ * *in*: inbound traffic
+ * *out*: outbound traffic
+
+``<action>``
+
+ * IPsec action
+
+ * Optional: No
+
+ * Available options:
+
+ * *protect <SA_idx>*: the specified traffic is protected by SA rule
+ with id SA_idx
+ * *bypass*: the specified traffic traffic is bypassed
+ * *discard*: the specified traffic is discarded
+
+``<priority>``
+
+ * Rule priority
+
+ * Optional: Yes, default priority 0 will be used
+
+ * Syntax: *pri <id>*
+
+``<src_ip>``
+
+ * The source IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X/Y* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X/Y* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<proto>``
+
+ * The protocol start and end range
+
+ * Optional: yes, default range of 0 to 0 will be used
+
+ * Syntax: *proto X:Y*
+
+``<sport>``
+
+ * The source port start and end range
+
+ * Optional: yes, default range of 0 to 0 will be used
+
+ * Syntax: *sport X:Y*
+
+``<dport>``
+
+ * The destination port start and end range
+
+ * Optional: yes, default range of 0 to 0 will be used
+
+ * Syntax: *dport X:Y*
+
+Example SP rules:
+
+.. code-block:: console
+
+ sp ipv4 out esp protect 105 pri 1 dst 192.168.115.0/24 sport 0:65535 \
+ dport 0:65535
+
+ sp ipv6 in esp bypass pri 1 dst 0000:0000:0000:0000:5555:5555:\
+ 0000:0000/96 sport 0:65535 dport 0:65535
+
+
+SA rule syntax
+^^^^^^^^^^^^^^
+
+The successfully parsed SA rules will be stored in an array table.
+
+The SA rule syntax is shown as follows:
+
+.. code-block:: console
+
+ sa <dir> <spi> <cipher_algo> <cipher_key> <auth_algo> <auth_key>
+ <mode> <src_ip> <dst_ip> <action_type> <port_id> <fallback>
+ <flow-direction> <port_id> <queue_id>
+
+where each options means:
+
+``<dir>``
+
+ * The traffic direction
+
+ * Optional: No
+
+ * Available options:
+
+ * *in*: inbound traffic
+ * *out*: outbound traffic
+
+``<spi>``
+
+ * The SPI number
+
+ * Optional: No
+
+ * Syntax: unsigned integer number
+
+``<cipher_algo>``
+
+ * Cipher algorithm
+
+ * Optional: Yes, unless <aead_algo> is not used
+
+ * Available options:
+
+ * *null*: NULL algorithm
+ * *aes-128-cbc*: AES-CBC 128-bit algorithm
+ * *aes-192-cbc*: AES-CBC 192-bit algorithm
+ * *aes-256-cbc*: AES-CBC 256-bit algorithm
+ * *aes-128-ctr*: AES-CTR 128-bit algorithm
+ * *3des-cbc*: 3DES-CBC 192-bit algorithm
+
+ * Syntax: *cipher_algo <your algorithm>*
+
+``<cipher_key>``
+
+ * Cipher key, NOT available when 'null' algorithm is used
+
+ * Optional: Yes, unless <aead_algo> is not used.
+ Must be followed by <cipher_algo> option
+
+ * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
+ The number of bytes should be as same as the specified cipher algorithm
+ key size.
+
+ For example: *cipher_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
+ A1:B2:C3:D4*
+
+``<auth_algo>``
+
+ * Authentication algorithm
+
+ * Optional: Yes, unless <aead_algo> is not used
+
+ * Available options:
+
+ * *null*: NULL algorithm
+ * *sha1-hmac*: HMAC SHA1 algorithm
+
+``<auth_key>``
+
+ * Authentication key, NOT available when 'null' or 'aes-128-gcm' algorithm
+ is used.
+
+ * Optional: Yes, unless <aead_algo> is not used.
+ Must be followed by <auth_algo> option
+
+ * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
+ The number of bytes should be as same as the specified authentication
+ algorithm key size.
+
+ For example: *auth_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
+ A1:B2:C3:D4*
+
+``<aead_algo>``
+
+ * AEAD algorithm
+
+ * Optional: Yes, unless <cipher_algo> and <auth_algo> are not used
+
+ * Available options:
+
+ * *aes-128-gcm*: AES-GCM 128-bit algorithm
+ * *aes-192-gcm*: AES-GCM 192-bit algorithm
+ * *aes-256-gcm*: AES-GCM 256-bit algorithm
+
+ * Syntax: *cipher_algo <your algorithm>*
+
+``<aead_key>``
+
+ * Cipher key, NOT available when 'null' algorithm is used
+
+ * Optional: Yes, unless <cipher_algo> and <auth_algo> are not used.
+ Must be followed by <aead_algo> option
+
+ * Syntax: Hexadecimal bytes (0x0-0xFF) concatenate by colon symbol ':'.
+ Last 4 bytes of the provided key will be used as 'salt' and so, the
+ number of bytes should be same as the sum of specified AEAD algorithm
+ key size and salt size (4 bytes).
+
+ For example: *aead_key A1:B2:C3:D4:A1:B2:C3:D4:A1:B2:C3:D4:
+ A1:B2:C3:D4:A1:B2:C3:D4*
+
+``<mode>``
+
+ * The operation mode
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4-tunnel*: Tunnel mode for IPv4 packets
+ * *ipv6-tunnel*: Tunnel mode for IPv6 packets
+ * *transport*: transport mode
+
+ * Syntax: mode XXX
+
+``<src_ip>``
+
+ * The source IP address. This option is not available when
+ transport mode is used
+
+ * Optional: Yes, default address 0.0.0.0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address. This option is not available when
+ transport mode is used
+
+ * Optional: Yes, default address 0.0.0.0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX* for IPv6
+
+``<type>``
+
+ * Action type to specify the security action. This option specify
+ the SA to be performed with look aside protocol offload to HW
+ accelerator or protocol offload on ethernet device or inline
+ crypto processing on the ethernet device during transmission.
+
+ * Optional: Yes, default type *no-offload*
+
+ * Available options:
+
+ * *lookaside-protocol-offload*: look aside protocol offload to HW accelerator
+ * *inline-protocol-offload*: inline protocol offload on ethernet device
+ * *inline-crypto-offload*: inline crypto processing on ethernet device
+ * *no-offload*: no offloading to hardware
+
+ ``<port_id>``
+
+ * Port/device ID of the ethernet/crypto accelerator for which the SA is
+ configured. For *inline-crypto-offload* and *inline-protocol-offload*, this
+ port will be used for routing. The routing table will not be referred in
+ this case.
+
+ * Optional: No, if *type* is not *no-offload*
+
+ * Syntax:
+
+ * *port_id X* X is a valid device number in decimal
+
+ ``<fallback>``
+
+ * Action type for ingress IPsec packets that inline processor failed to
+ process. Only a combination of *inline-crypto-offload* as a primary
+ session and *lookaside-none* as a fall-back session is supported at the
+ moment.
+
+ If used in conjunction with IPsec window, its width needs be increased
+ due to different processing times of inline and lookaside modes which
+ results in packet reordering.
+
+ * Optional: Yes.
+
+ * Available options:
+
+ * *lookaside-none*: use automatically chosen cryptodev to process packets
+
+ * Syntax:
+
+ * *fallback lookaside-none*
+
+``<flow-direction>``
+
+ * Option for redirecting a specific inbound ipsec flow of a port to a specific
+ queue of that port.
+
+ * Optional: Yes.
+
+ * Available options:
+
+ * *port_id*: Port ID of the NIC for which the SA is configured.
+ * *queue_id*: Queue ID to which traffic should be redirected.
+
+Example SA rules:
+
+.. code-block:: console
+
+ sa out 5 cipher_algo null auth_algo null mode ipv4-tunnel \
+ src 172.16.1.5 dst 172.16.2.5
+
+ sa out 25 cipher_algo aes-128-cbc \
+ cipher_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3 \
+ auth_algo sha1-hmac \
+ auth_key c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3:c3 \
+ mode ipv6-tunnel \
+ src 1111:1111:1111:1111:1111:1111:1111:5555 \
+ dst 2222:2222:2222:2222:2222:2222:2222:5555
+
+ sa in 105 aead_algo aes-128-gcm \
+ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+ mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5
+
+ sa out 5 cipher_algo aes-128-cbc cipher_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+ auth_algo sha1-hmac auth_key 0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 \
+ mode ipv4-tunnel src 172.16.1.5 dst 172.16.2.5 \
+ type lookaside-protocol-offload port_id 4
+
+ sa in 35 aead_algo aes-128-gcm \
+ aead_key de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef:de:ad:be:ef \
+ mode ipv4-tunnel src 172.16.2.5 dst 172.16.1.5 \
+ type inline-crypto-offload port_id 0
+
+ sa in 117 cipher_algo null auth_algo null mode ipv4-tunnel src 172.16.2.7 \
+ dst 172.16.1.7 flow-direction 0 2
+
+Routing rule syntax
+^^^^^^^^^^^^^^^^^^^
+
+The Routing rule syntax is shown as follows:
+
+.. code-block:: console
+
+ rt <ip_ver> <src_ip> <dst_ip> <port>
+
+
+where each options means:
+
+``<ip_ver>``
+
+ * IP protocol version
+
+ * Optional: No
+
+ * Available options:
+
+ * *ipv4*: IP protocol version 4
+ * *ipv6*: IP protocol version 6
+
+``<src_ip>``
+
+ * The source IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *src X.X.X.X/Y* for IPv4
+ * *src XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<dst_ip>``
+
+ * The destination IP address and mask
+
+ * Optional: Yes, default address 0.0.0.0 and mask of 0 will be used
+
+ * Syntax:
+
+ * *dst X.X.X.X/Y* for IPv4
+ * *dst XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX/Y* for IPv6
+
+``<port>``
+
+ * The traffic output port id
+
+ * Optional: yes, default output port 0 will be used
+
+ * Syntax: *port X*
+
+Example SP rules:
+
+.. code-block:: console
+
+ rt ipv4 dst 172.16.1.5/32 port 0
+
+ rt ipv6 dst 1111:1111:1111:1111:1111:1111:1111:5555/116 port 0
+
+Neighbour rule syntax
+^^^^^^^^^^^^^^^^^^^^^
+
+The Neighbour rule syntax is shown as follows:
+
+.. code-block:: console
+
+ neigh <port> <dst_mac>
+
+
+where each options means:
+
+``<port>``
+
+ * The output port id
+
+ * Optional: No
+
+ * Syntax: *port X*
+
+``<dst_mac>``
+
+ * The destination ethernet address to use for that port
+
+ * Optional: No
+
+ * Syntax:
+
+ * XX:XX:XX:XX:XX:XX
+
+Example Neighbour rules:
+
+.. code-block:: console
+
+ neigh port 0 DE:AD:BE:EF:01:02
+
+Test directory
+--------------
+
+The test directory contains scripts for testing the various encryption
+algorithms.
+
+The purpose of the scripts is to automate ipsec-secgw testing
+using another system running linux as a DUT.
+
+The user must setup the following environment variables:
+
+* ``SGW_PATH``: path to the ipsec-secgw binary to test.
+
+* ``REMOTE_HOST``: IP address/hostname of the DUT.
+
+* ``REMOTE_IFACE``: interface name for the test-port on the DUT.
+
+* ``ETH_DEV``: ethernet device to be used on the SUT by DPDK ('-w <pci-id>')
+
+Also the user can optionally setup:
+
+* ``SGW_LCORE``: lcore to run ipsec-secgw on (default value is 0)
+
+* ``CRYPTO_DEV``: crypto device to be used ('-w <pci-id>'). If none specified
+ appropriate vdevs will be created by the script
+
+* ``MULTI_SEG_TEST``: ipsec-secgw option to enable reassembly support and
+ specify size of reassembly table (e.g.
+ ``MULTI_SEG_TEST='--reassemble 128'``). This option must be set for
+ fallback session tests.
+
+Note that most of the tests require the appropriate crypto PMD/device to be
+available.
+
+Server configuration
+~~~~~~~~~~~~~~~~~~~~
+
+Two servers are required for the tests, SUT and DUT.
+
+Make sure the user from the SUT can ssh to the DUT without entering the password.
+To enable this feature keys must be setup on the DUT.
+
+``ssh-keygen`` will make a private & public key pair on the SUT.
+
+``ssh-copy-id`` <user name>@<target host name> on the SUT will copy the public
+key to the DUT. It will ask for credentials so that it can upload the public key.
+
+The SUT and DUT are connected through at least 2 NIC ports.
+
+One NIC port is expected to be managed by linux on both machines and will be
+used as a control path.
+
+The second NIC port (test-port) should be bound to DPDK on the SUT, and should
+be managed by linux on the DUT.
+
+The script starts ``ipsec-secgw`` with 2 NIC devices: ``test-port`` and
+``tap vdev``.
+
+It then configures the local tap interface and the remote interface and IPsec
+policies in the following way:
+
+Traffic going over the test-port in both directions has to be protected by IPsec.
+
+Traffic going over the TAP port in both directions does not have to be protected.
+
+i.e:
+
+DUT OS(NIC1)--(IPsec)-->(NIC1)ipsec-secgw(TAP)--(plain)-->(TAP)SUT OS
+
+SUT OS(TAP)--(plain)-->(TAP)psec-secgw(NIC1)--(IPsec)-->(NIC1)DUT OS
+
+It then tries to perform some data transfer using the scheme described above.
+
+usage
+~~~~~
+
+In the ipsec-secgw/test directory
+
+to run one test for IPv4 or IPv6
+
+/bin/bash linux_test(4|6).sh <ipsec_mode>
+
+to run all tests for IPv4 or IPv6
+
+/bin/bash run_test.sh -4|-6
+
+For the list of available modes please refer to run_test.sh.