security: add option to configure UDP ports verification

Add option to indicate whether UDP encapsulation ports
verification need to be done as part of inbound
IPsec processing.

Signed-off-by: Tejasree Kondoj <ktejasree@marvell.com>
Acked-by: Hemant Agrawal <hemant.agrawal@nxp.com>
Acked-by: Akhil Goyal <gakhil@marvell.com>

diff --git a/doc/guides/rel_notes/release_21_11.rst b/doc/guides/rel_notes/release_21_11.rst
index 5036641..309045e 100644 (file)
--- a/doc/guides/rel_notes/release_21_11.rst
+++ b/doc/guides/rel_notes/release_21_11.rst
@@ -238,6 +238,10 @@ ABI Changes
   ``rte_security_ipsec_sa_options`` to indicate whether outer header
   verification need to be done as part of inbound IPsec processing.
 
+* security: A new option ``udp_ports_verify`` was added in structure
+  ``rte_security_ipsec_sa_options`` to indicate whether UDP ports
+  verification need to be done as part of inbound IPsec processing.
+
 * security: A new structure ``rte_security_ipsec_lifetime`` was added to
   replace ``esn_soft_limit`` in IPsec configuration structure
   ``rte_security_ipsec_xform`` to allow applications to configure SA soft

diff --git a/lib/security/rte_security.h b/lib/security/rte_security.h
index 2013e65..7b066e7 100644 (file)
--- a/lib/security/rte_security.h
+++ b/lib/security/rte_security.h
@@ -220,6 +220,13 @@ struct rte_security_ipsec_sa_options {
         *   source and destination IP addresses.
         */
        uint32_t tunnel_hdr_verify : 2;
+
+       /** Verify UDP encapsulation ports in inbound
+        *
+        * * 1: Match UDP source and destination ports
+        * * 0: Do not match UDP ports
+        */
+       uint32_t udp_ports_verify : 1;
 };
 
 /** IPSec security association direction */