fn (idi->id_itp, ctx);
}
+static void
+ipsec_tun_feature_update (u32 sw_if_index, u8 arc_index, u8 is_enable,
+ void *data)
+{
+ ipsec_tun_protect_t *itp;
+ index_t itpi;
+
+ if (arc_index != feature_main.device_input_feature_arc_index)
+ return;
+
+ /* Only p2p tunnels supported */
+ itpi = ipsec_tun_protect_find (sw_if_index, &IP_ADDR_ALL_0);
+ if (itpi == INDEX_INVALID)
+ return;
+
+ itp = ipsec_tun_protect_get (itpi);
+
+ if (is_enable)
+ {
+ u32 decrypt_tun = ip46_address_is_ip4 (&itp->itp_crypto.dst) ?
+ ipsec_main.esp4_decrypt_tun_node_index :
+ ipsec_main.esp6_decrypt_tun_node_index;
+
+ vnet_feature_modify_end_node (
+ feature_main.device_input_feature_arc_index, sw_if_index, decrypt_tun);
+ itp->itp_flags |= IPSEC_PROTECT_FEAT;
+ }
+ else
+ {
+ u32 eth_in =
+ vlib_get_node_by_name (vlib_get_main (), (u8 *) "ethernet-input")
+ ->index;
+
+ vnet_feature_modify_end_node (
+ feature_main.device_input_feature_arc_index, sw_if_index, eth_in);
+ itp->itp_flags &= ~IPSEC_PROTECT_FEAT;
+ }
+
+ /* Propagate flag change into lookup entries */
+ ipsec_tun_protect_rx_db_remove (&ipsec_main, itp);
+ ipsec_tun_protect_rx_db_add (&ipsec_main, itp);
+}
+
static void
ipsec_tun_protect_adj_delegate_adj_deleted (adj_delegate_t * ad)
{
teib_register (&ipsec_tun_teib_vft);
+ vnet_feature_register (ipsec_tun_feature_update, NULL);
+
return 0;
}