document application filtering
Change-Id: I6d74171df4afbcb3215e9a6ca7db3981d5baa157
diff --git a/advanced/appfilter.rst b/advanced/appfilter.rst
new file mode 100644
index 0000000..6f49769
--- /dev/null
+++ b/advanced/appfilter.rst
@@ -0,0 +1,63 @@
+..
+ SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+ SPDX-License-Identifier: Apache-2.0
+
+Application Filtering
+=====================
+
+Application filtering allows configuration of the application endpoints that a
+device is allowed to connect to. Configuration is possible of not only whether an
+application endpoint is reachable or not, but also what maximum bitrate and traffic
+class should be associated with that endpoint.
+
+A VCS may have a total of five user-defined application endpoints associated with it. Logically
+this could be one application with five endpoints, five applications with one endpoint
+each, or any other combination that is less than or equal to five endpoints total.
+
+In addition to
+these five user configurable endpoints, the default behavior can be set to either
+ALLOW-ALL, DENY-ALL, or ALLOW-PUBLIC. ALLOW-PUBLIC is a special rule that denies traffic
+to private IPv4 networks (as per RFC1918) and then allows everything else.
+
+Configuring Applications
+------------------------
+
+Begin by creating Applications. Each application has an address field which may be
+set to an IPv4 address or an IPv4 subnet, which may in turn match several IPv4
+addresses. Once the address is set, move on to creating endpoints.
+
+Each endpoint is a port range, specified by its start and end port. A range of
+exactly one port is also acceptable. The protocol may be set to either TCP or UDP. Each
+endpoint may also have associated with it a maximum bitrate and a traffic-class. The
+maximum bitrate is per-device to the application; it is not the sum of all devices to the
+application.
+
+Adding Applications to VCSes
+----------------------------
+
+Each VCS has an application filter, which is a list of applications. Each entry
+in this list has a priority and an allow|deny setting. Keep in mind that the total
+number of endpoints for all applications attached to the VCS must be less than or
+equal to five.
+
+Also configurable for the VCS is the default-behavior, which will automatically
+be evaluated at the lowest priority, only taking effect if no other rule matches.
+The default behavior does not count against the 5-endpoint limit.
+
+How Application Filtering is Evaluated
+--------------------------------------
+
+Application filtering is evaluated from highest priority (0) to the lowest
+priority (250). The first rule to match will have its action applied. Subsequent
+rules after a match are not evaluated.
+
+For example, assume the following filter is configured:
+
+* Priority=0, Address=10.0.0.1, Protocol=TCP, Port=8000, Action=Allow
+* Priority=1, Address=10.0.0.0/24, Action=Deny
+* Default_Behavior = Allow All
+
+The above rule would allow traffic to 10.0.0.1 on TCP port 8000, but deny
+traffic to all other hosts on the IPv4 subnet 10.0.0.0/24. Ports other than
+8000 on 10.0.0.1 would be denied, as would protocols other than TCP. Traffic to
+subnets other than 10.0.0.0/24 would be allowed.
diff --git a/dict.txt b/dict.txt
index 0ef25fb..74fdd3f 100644
--- a/dict.txt
+++ b/dict.txt
@@ -26,6 +26,7 @@
IPMI
IaC
IaaC
+IPv
Istio
Jenkins
Keycloak
diff --git a/index.rst b/index.rst
index 784eb4d..418df2a 100644
--- a/index.rst
+++ b/index.rst
@@ -70,6 +70,7 @@
operations/procedures
operations/subscriber
operations/vcs
+ advanced/appfilter
.. toctree::
:maxdepth: 3