1 files changed, 45 insertions, 0 deletions

diff --git a/src/vnet/ipsec/ipsec_tun.c b/src/vnet/ipsec/ipsec_tun.c
index 74340256f38..0b6ec0ea33e 100644
--- a/src/vnet/ipsec/ipsec_tun.c
+++ b/src/vnet/ipsec/ipsec_tun.c
@@ -779,6 +779,49 @@ ipsec_tun_protect_walk_itf (u32 sw_if_index,
 }
 
 static void
+ipsec_tun_feature_update (u32 sw_if_index, u8 arc_index, u8 is_enable,
+			  void *data)
+{
+  ipsec_tun_protect_t *itp;
+  index_t itpi;
+
+  if (arc_index != feature_main.device_input_feature_arc_index)
+    return;
+
+  /* Only p2p tunnels supported */
+  itpi = ipsec_tun_protect_find (sw_if_index, &IP_ADDR_ALL_0);
+  if (itpi == INDEX_INVALID)
+    return;
+
+  itp = ipsec_tun_protect_get (itpi);
+
+  if (is_enable)
+    {
+      u32 decrypt_tun = ip46_address_is_ip4 (&itp->itp_crypto.dst) ?
+			  ipsec_main.esp4_decrypt_tun_node_index :
+			  ipsec_main.esp6_decrypt_tun_node_index;
+
+      vnet_feature_modify_end_node (
+	feature_main.device_input_feature_arc_index, sw_if_index, decrypt_tun);
+      itp->itp_flags |= IPSEC_PROTECT_FEAT;
+    }
+  else
+    {
+      u32 eth_in =
+	vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input")
+	  ->index;
+
+      vnet_feature_modify_end_node (
+	feature_main.device_input_feature_arc_index, sw_if_index, eth_in);
+      itp->itp_flags &= ~IPSEC_PROTECT_FEAT;
+    }
+
+  /* Propagate flag change into lookup entries */
+  ipsec_tun_protect_rx_db_remove (&ipsec_main, itp);
+  ipsec_tun_protect_rx_db_add (&ipsec_main, itp);
+}
+
+static void
 ipsec_tun_protect_adj_delegate_adj_deleted (adj_delegate_t * ad)
 {
   /* remove our delegate */
@@ -929,6 +972,8 @@ ipsec_tunnel_protect_init (vlib_main_t *vm)
 
   teib_register (&ipsec_tun_teib_vft);
 
+  vnet_feature_register (ipsec_tun_feature_update, NULL);
+
   return 0;
 }