security: add option to configure UDP ports verification

Add option to indicate whether UDP encapsulation ports
verification need to be done as part of inbound
IPsec processing.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 5036641842ca692c485cfc259b82ea2859d7bc52..309045ec8a74abb2517420c8cc4d0226c02e237d 100644 (file)
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -238,6 +238,10 @@ ABI Changes
   ``rte_security_ipsec_sa_options`` to indicate whether outer header
   verification need to be done as part of inbound IPsec processing.
 
+* security: A new option ``udp_ports_verify`` was added in structure
+  ``rte_security_ipsec_sa_options`` to indicate whether UDP ports
+  verification need to be done as part of inbound IPsec processing.
+
 * security: A new structure ``rte_security_ipsec_lifetime`` was added to
   replace ``esn_soft_limit`` in IPsec configuration structure
   ``rte_security_ipsec_xform`` to allow applications to configure SA soft

diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 2013e65e49fe1fc69b27d605223e5362a1215f6e..7b066e758bc81dc50c66baf6f4c885e190bb1063 100644 (file)
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -220,6 +220,13 @@ struct rte_security_ipsec_sa_options {
         *   source and destination IP addresses.
         */
        uint32_t tunnel_hdr_verify : 2;
+
+       /** Verify UDP encapsulation ports in inbound
+        *
+        * * 1: Match UDP source and destination ports
+        * * 0: Do not match UDP ports
+        */
+       uint32_t udp_ports_verify : 1;
 };
 
 /** IPSec security association direction */