danielinux
diff --git a/‎.github/workflows/linux.yml‎
Lines changed: 11 additions & 5 deletions b/‎.github/workflows/linux.yml‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎Makefile‎
Lines changed: 19 additions & 1 deletion b/‎Makefile‎
Lines changed: 19 additions & 1 deletion
diff --git a/‎config.h‎
Lines changed: 4 additions & 0 deletions b/‎config.h‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎docs/API.md‎
Lines changed: 7 additions & 0 deletions b/‎docs/API.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/port/wolfssl_io.c‎
Lines changed: 72 additions & 22 deletions b/‎src/port/wolfssl_io.c‎
Lines changed: 72 additions & 22 deletions
@@ -19,15 +19,21 @@ jobs:
       - name: Update repo
         run: |
           sudo apt-get update
+          sudo apt-get install -y libwolfssl-dev
           sudo modprobe tun
 
       - name: Build linux tests
         run: |
           mkdir -p build/port
           make
 
-#      - name: Run interop tests
-#        run: |
-#          sudo build/test
-#
-#
+      - name: Run unit tests
+        run: make unit
+
+      - name: Run standalone tests
+        run: |
+          sudo ./build/test-evloop
+          sudo ./build/test-wolfssl
+          ./build/test-wolfssl-forwarding
+          ./build/test-ttl-expired
+
@@ -20,7 +20,8 @@ OBJ=build/wolfip.o \
 	build/port/posix/linux_tap.o
 
 EXE=build/tcpecho build/tcp_netcat_poll build/tcp_netcat_select \
-	build/test-evloop build/test-dns
+	build/test-evloop build/test-dns build/test-wolfssl-forwarding \
+	build/test-ttl-expired build/test-wolfssl
 LIB=libwolfip.so
 
 PREFIX=/usr/local
@@ -80,12 +81,29 @@ build/tcp_netcat_select: $(OBJ) build/port/posix/bsd_socket.o build/test/tcp_net
 
 build/test-wolfssl:CFLAGS+=-Wno-cpp -DWOLFSSL_DEBUG -DWOLFSSL_WOLFIP
 build/test-httpd:CFLAGS+=-Wno-cpp -DWOLFSSL_DEBUG -DWOLFSSL_WOLFIP -Isrc/http
+build/test-wolfssl-forwarding:CFLAGS+=-Wno-cpp -DWOLFSSL_DEBUG -DWOLFSSL_WOLFIP -DWOLFIP_MAX_INTERFACES=2 -DWOLFIP_ENABLE_FORWARDING=1
 
 
 build/test-wolfssl: $(OBJ) build/test/test_native_wolfssl.o build/port/wolfssl_io.o build/certs/server_key.o build/certs/ca_cert.o build/certs/server_cert.o
 	@echo "[LD] $@"
 	@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ -Wl,--start-group $(^) -lwolfssl -Wl,--end-group
 
+build/test-wolfssl-forwarding: build/test/test_wolfssl_forwarding.o build/test/wolfip_forwarding.o build/port/posix/linux_tap.o build/port/wolfssl_io.o build/certs/server_key.o build/certs/ca_cert.o build/certs/server_cert.o
+	@echo "[LD] $@"
+	@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ -Wl,--start-group $(^) -lwolfssl -Wl,--end-group
+
+build/test/test_wolfssl_forwarding.o: CFLAGS+=-DWOLFIP_MAX_INTERFACES=2 -DWOLFIP_ENABLE_FORWARDING=1
+
+build/test/wolfip_forwarding.o: src/wolfip.c
+	@mkdir -p `dirname $@` || true
+	@echo "[CC] $< (forwarding)"
+	@$(CC) $(CFLAGS) -DWOLFIP_MAX_INTERFACES=2 -DWOLFIP_ENABLE_FORWARDING=1 -c $< -o $@
+
+build/test/test_ttl_expired.o: CFLAGS+=-DWOLFIP_MAX_INTERFACES=2 -DWOLFIP_ENABLE_FORWARDING=1
+build/test-ttl-expired: build/test/test_ttl_expired.o build/test/wolfip_forwarding.o
+	@echo "[LD] $@"
+	@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ -Wl,--start-group $(^) -Wl,--end-group
+
 build/test-httpd: $(OBJ) build/test/test_httpd.o build/port/wolfssl_io.o build/certs/server_key.o build/certs/server_cert.o build/http/httpd.o
 	@echo "[LD] $@"
 	@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ -Wl,--start-group $(^) -lwolfssl -Wl,--end-group
 
@@ -15,6 +15,10 @@
 #define WOLFIP_MAX_INTERFACES 1
 #endif
 
+#ifndef WOLFIP_ENABLE_FORWARDING
+#define WOLFIP_ENABLE_FORWARDING 0
+#endif
+
 /* Linux test configuration */
 #define WOLFIP_IP "10.10.10.2"
 #define LINUX_IP "10.10.10.1"
 
@@ -43,6 +43,8 @@ struct ipconf {
 ```
 Each `struct wolfIP` instance owns `WOLFIP_MAX_INTERFACES` `ipconf` entries—one per link-layer slot. Use the `_ex` helpers to read or update a specific interface; the legacy accessors operate on index `0` for backwards compatibility.
 
+If `WOLFIP_ENABLE_FORWARDING` is set to `1` at compile time, the stack performs simple IPv4 forwarding between interfaces. Packets received on one interface whose destinations match another configured interface are re-sent with the IP TTL decreased by one (or an ICMP TTL-exceeded response if the TTL would drop to zero).
+
 ### Socket Address Structures
 ```c
 struct wolfIP_sockaddr_in {
@@ -153,6 +155,11 @@ Initializes a static wolfIP instance.
 - Parameters:
   - s: Pointer to wolfIP instance pointer
 
+```c
+size_t wolfIP_instance_size(void);
+```
+Returns the size (in bytes) required to store a `struct wolfIP`. Use this when allocating stacks from custom memory managers.
+
 ```c
 int wolfIP_poll(struct wolfIP *s, uint64_t now);
 ```
 
@@ -1,6 +1,5 @@
 /* wolfssl_io.c
- *
- * Copyright (C) 2024 wolfSSL Inc.
+ * Copyright (C) 2025 wolfSSL Inc.
  *
  * This file is part of wolfIP TCP/IP stack.
  *
@@ -17,39 +16,77 @@
  * You should have received a copy of the GNU General Public License
  * along with this program; if not, write to the Free Software
  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
+ *
+ * wolfIP <-> wolfSSL glue for custom IO callbacks.
  */
 #include "wolfip.h"
 #include <wolfssl/wolfcrypt/settings.h>
 #include <wolfssl/ssl.h>
+#include <wolfssl/wolfcrypt/memory.h>
+
+#define MAX_WOLFIP_CTX 8
+
+struct ctx_entry {
+    WOLFSSL_CTX *ctx;
+    struct wolfIP *stack;
+};
+
+struct wolfip_io_desc {
+    int fd;
+    struct wolfIP *stack;
+};
 
-static struct wolfIP *ref_ipstack = NULL; 
+static struct ctx_entry ctx_map[MAX_WOLFIP_CTX];
+static struct wolfip_io_desc io_descs[MAX_WOLFIP_CTX];
+
+static struct wolfIP *wolfIP_lookup_stack(WOLFSSL_CTX *ctx)
+{
+    for (int i = 0; i < MAX_WOLFIP_CTX; i++) {
+        if (ctx_map[i].ctx == ctx)
+            return ctx_map[i].stack;
+    }
+    return NULL;
+}
+
+static void wolfIP_register_stack(WOLFSSL_CTX *ctx, struct wolfIP *stack)
+{
+    for (int i = 0; i < MAX_WOLFIP_CTX; i++) {
+        if (ctx_map[i].ctx == ctx || ctx_map[i].ctx == NULL) {
+            ctx_map[i].ctx = ctx;
+            ctx_map[i].stack = stack;
+            return;
+        }
+    }
+}
 
 static int wolfIP_io_recv(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 {
-    int ret = 0;
-    int fd = (intptr_t)ctx;
+    struct wolfip_io_desc *desc = (struct wolfip_io_desc *)ctx;
     (void)ssl;
-    if (!ref_ipstack)
-        return -1;
-    ret = wolfIP_sock_recv(ref_ipstack, fd, buf, sz, 0);
-    if (ret == -11)
+
+    if (!desc || !desc->stack)
+        return WOLFSSL_CBIO_ERR_GENERAL;
+
+    int ret = wolfIP_sock_recv(desc->stack, desc->fd, buf, sz, 0);
+    if (ret == -11 || ret == -1)
         return WOLFSSL_CBIO_ERR_WANT_READ;
-    else if (ret <= 0)
+    if (ret <= 0)
         return WOLFSSL_CBIO_ERR_CONN_CLOSE;
     return ret;
 }
 
 static int wolfIP_io_send(WOLFSSL* ssl, char* buf, int sz, void* ctx)
 {
-    int ret = 0;
-    int fd = (intptr_t)ctx;
+    struct wolfip_io_desc *desc = (struct wolfip_io_desc *)ctx;
     (void)ssl;
-    if (!ref_ipstack)
-        return -1;
-    ret = wolfIP_sock_send(ref_ipstack, fd, buf, sz, 0);
-    if (ret == -11)
+
+    if (!desc || !desc->stack)
+        return WOLFSSL_CBIO_ERR_GENERAL;
+
+    int ret = wolfIP_sock_send(desc->stack, desc->fd, buf, sz, 0);
+    if (ret == -11 || ret == -1)
         return WOLFSSL_CBIO_ERR_WANT_WRITE;
-    else if (ret <= 0)
+    if (ret <= 0)
         return WOLFSSL_CBIO_ERR_CONN_CLOSE;
     return ret;
 }
@@ -58,14 +95,27 @@ int wolfSSL_SetIO_wolfIP_CTX(WOLFSSL_CTX* ctx, struct wolfIP *s)
 {
     wolfSSL_SetIORecv(ctx, wolfIP_io_recv);
     wolfSSL_SetIOSend(ctx, wolfIP_io_send);
-    ref_ipstack = s;
+    wolfIP_register_stack(ctx, s);
     return 0;
 }
 
 int wolfSSL_SetIO_wolfIP(WOLFSSL* ssl, int fd)
 {
-    wolfSSL_SetIOReadCtx(ssl, (void*)(intptr_t)fd);
-    wolfSSL_SetIOWriteCtx(ssl, (void*)(intptr_t)fd);
-    return 0;
-}
+    WOLFSSL_CTX *ctx = wolfSSL_get_SSL_CTX(ssl);
+    struct wolfIP *stack = wolfIP_lookup_stack(ctx);
+
+    if (!stack)
+        return WOLFSSL_CBIO_ERR_GENERAL;
 
+    for (int i = 0; i < MAX_WOLFIP_CTX; i++) {
+        if (io_descs[i].stack == NULL) {
+            io_descs[i].fd = fd;
+            io_descs[i].stack = stack;
+            wolfSSL_SetIOReadCtx(ssl, &io_descs[i]);
+            wolfSSL_SetIOWriteCtx(ssl, &io_descs[i]);
+            return 0;
+        }
+    }
+
+    return -1;
+}