diff --git a/exports/sfe_api.h b/exports/sfe_api.h
index 9477550..e224652 100644
--- a/exports/sfe_api.h
+++ b/exports/sfe_api.h
@@ -68,9 +68,15 @@
 #define SFE_RULE_CREATE_FLAG_L2_ENCAP     (1<<7)		/**< Consists of an encapsulating protocol that carries an IPv4 payload within it. */
 #define SFE_RULE_CREATE_FLAG_USE_FLOW_BOTTOM_INTERFACE (1<<8)	/**< Use flow interface number instead of top interface. */
 #define SFE_RULE_CREATE_FLAG_USE_RETURN_BOTTOM_INTERFACE (1<<9) /**< Use return interface number instead of top interface. */
-#define SFE_RULE_CREATE_FLAG_SRC_INTERFACE_CHECK  (1<<10)  	/**< Check source interface. */
-#define SFE_RULE_CREATE_FLAG_FLOW_TRANSMIT_FAST (1<<11) 	/**< Original flow can be transmitted fast. */
-#define SFE_RULE_CREATE_FLAG_RETURN_TRANSMIT_FAST (1<<12) 	/**< Return flow can be transmitted fast. */
+#define SFE_RULE_CREATE_FLAG_FLOW_SRC_INTERFACE_CHECK  (1<<10)  /**< Check source interface on the flow direction. */
+#define SFE_RULE_CREATE_FLAG_RETURN_SRC_INTERFACE_CHECK  (1<<11)
+								/**< Check source interface on the return direction. */
+#define SFE_RULE_CREATE_FLAG_FLOW_TRANSMIT_FAST (1<<12) 	/**< Original flow can be transmitted fast. */
+#define SFE_RULE_CREATE_FLAG_RETURN_TRANSMIT_FAST (1<<13) 	/**< Return flow can be transmitted fast. */
+#define SFE_RULE_CREATE_FLAG_FLOW_SRC_INTERFACE_CHECK_NO_FLUSH  (1<<14)
+								/**< Check source interface on the flow direction but do not flush the connection. */
+#define SFE_RULE_CREATE_FLAG_RETURN_SRC_INTERFACE_CHECK_NO_FLUSH  (1<<15)
+								/**< Check source interface on the return direction but do not flush the connection. */
 
 /*
  * Rule creation validity flags.
diff --git a/sfe_ipv4.c b/sfe_ipv4.c
index 0e12441..637ad9a 100644
--- a/sfe_ipv4.c
+++ b/sfe_ipv4.c
@@ -1390,10 +1390,14 @@
 		}
 	}
 
-	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_SRC_INTERFACE_CHECK) {
+	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_FLOW_SRC_INTERFACE_CHECK) {
 		original_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK;
 	}
 
+	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_FLOW_SRC_INTERFACE_CHECK_NO_FLUSH) {
+		original_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH;
+	}
+
 	/*
 	 * Adding PPPoE parameters to original and reply entries based on the direction where
 	 * PPPoE header is valid in ECM rule.
@@ -1428,10 +1432,14 @@
 		ether_addr_copy(reply_cm->pppoe_remote_mac, msg->pppoe_rule.return_pppoe_remote_mac);
 	}
 
-	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_SRC_INTERFACE_CHECK) {
+	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_RETURN_SRC_INTERFACE_CHECK) {
 		reply_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK;
 	}
 
+	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_RETURN_SRC_INTERFACE_CHECK_NO_FLUSH) {
+		reply_cm->flags |= SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH;
+	}
+
 	/*
 	 * For the non-arp interface, we don't write L2 HDR.
 	 */
diff --git a/sfe_ipv4.h b/sfe_ipv4.h
index f19adb1..6c058e0 100644
--- a/sfe_ipv4.h
+++ b/sfe_ipv4.h
@@ -70,7 +70,7 @@
 #define SFE_IPV4_CONNECTION_MATCH_FLAG_INSERT_EGRESS_VLAN_TAG (1<<12)
 					/* Insert VLAN tag */
 #define SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK (1<<13)
-					/* Source interface check.*/
+					/* Source interface check */
 #define SFE_IPV4_CONNECTION_MATCH_FLAG_PASSTHROUGH (1<<14)
 					/* passthrough flow: encap/decap to be skipped for this flow */
 #define SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT (1<<15)
@@ -79,6 +79,8 @@
 					/* Fast xmit flow checked or not */
 #define SFE_IPV4_CONNECTION_MATCH_FLAG_FAST_XMIT_DEV_ADMISSION (1<<17)
 					/* Fast xmit may be possible for this flow, if SFE check passes */
+#define SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH (1<<18)
+					/* Source interface check but do not flush the connection */
 
 /*
  * IPv4 connection matching structure.
diff --git a/sfe_ipv4_gre.c b/sfe_ipv4_gre.c
index da05d69..ea9a000 100644
--- a/sfe_ipv4_gre.c
+++ b/sfe_ipv4_gre.c
@@ -101,19 +101,22 @@
 	 * Source interface validate.
 	 */
 	if (unlikely((cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
-		struct sfe_ipv4_connection *c = cm->connection;
-		int ret;
+		if (!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH)) {
+			struct sfe_ipv4_connection *c = cm->connection;
+			int ret;
 
-		spin_lock_bh(&si->lock);
-		ret = sfe_ipv4_remove_connection(si, c);
-		spin_unlock_bh(&si->lock);
+			DEBUG_TRACE("flush on source interface check failure\n");
+			spin_lock_bh(&si->lock);
+			ret = sfe_ipv4_remove_connection(si, c);
+			spin_unlock_bh(&si->lock);
 
-		if (ret) {
-			sfe_ipv4_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			if (ret) {
+				sfe_ipv4_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			}
 		}
 		rcu_read_unlock();
 		sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_INVALID_SRC_IFACE);
-		DEBUG_TRACE("flush on wrong source interface check failure\n");
+		DEBUG_TRACE("exception the packet on source interface check failure\n");
 		return 0;
 	}
 
diff --git a/sfe_ipv4_tcp.c b/sfe_ipv4_tcp.c
index 22071ee..aea240e 100644
--- a/sfe_ipv4_tcp.c
+++ b/sfe_ipv4_tcp.c
@@ -195,17 +195,20 @@
 	 * Source interface validate.
 	 */
 	if (unlikely((cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
-		struct sfe_ipv4_connection *c = cm->connection;
-		spin_lock_bh(&si->lock);
-		ret = sfe_ipv4_remove_connection(si, c);
-		spin_unlock_bh(&si->lock);
+		if (!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH)) {
+			struct sfe_ipv4_connection *c = cm->connection;
+			DEBUG_TRACE("flush on source interface check failure\n");
+			spin_lock_bh(&si->lock);
+			ret = sfe_ipv4_remove_connection(si, c);
+			spin_unlock_bh(&si->lock);
 
-		if (ret) {
-			sfe_ipv4_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			if (ret) {
+				sfe_ipv4_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			}
 		}
 		rcu_read_unlock();
 		sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_INVALID_SRC_IFACE);
-		DEBUG_TRACE("flush on wrong source interface check failure\n");
+		DEBUG_TRACE("exception the packet on source interface check failure\n");
 		return 0;
 	}
 
diff --git a/sfe_ipv4_udp.c b/sfe_ipv4_udp.c
index abaa873..922e54e 100644
--- a/sfe_ipv4_udp.c
+++ b/sfe_ipv4_udp.c
@@ -191,17 +191,20 @@
 	 * Source interface validate.
 	 */
 	if (unlikely((cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
-		struct sfe_ipv4_connection *c = cm->connection;
-		spin_lock_bh(&si->lock);
-		ret = sfe_ipv4_remove_connection(si, c);
-		spin_unlock_bh(&si->lock);
+		if (!(cm->flags & SFE_IPV4_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH)) {
+			struct sfe_ipv4_connection *c = cm->connection;
+			DEBUG_TRACE("flush on source interface check failure\n");
+			spin_lock_bh(&si->lock);
+			ret = sfe_ipv4_remove_connection(si, c);
+			spin_unlock_bh(&si->lock);
 
-		if (ret) {
-			sfe_ipv4_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			if (ret) {
+				sfe_ipv4_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			}
 		}
 		rcu_read_unlock();
 		sfe_ipv4_exception_stats_inc(si, SFE_IPV4_EXCEPTION_EVENT_INVALID_SRC_IFACE);
-		DEBUG_TRACE("flush on wrong source interface check failure\n");
+		DEBUG_TRACE("exception the packet on source interface check failure\n");
 		return 0;
 	}
 
diff --git a/sfe_ipv6.c b/sfe_ipv6.c
index 01183af..0accdc6 100644
--- a/sfe_ipv6.c
+++ b/sfe_ipv6.c
@@ -1405,10 +1405,14 @@
 		ether_addr_copy(reply_cm->pppoe_remote_mac, msg->pppoe_rule.return_pppoe_remote_mac);
 	}
 
-	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_SRC_INTERFACE_CHECK) {
+	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_FLOW_SRC_INTERFACE_CHECK) {
 		original_cm->flags |= SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK;
 	}
 
+	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_FLOW_SRC_INTERFACE_CHECK_NO_FLUSH) {
+		original_cm->flags |= SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH;
+	}
+
 	/*
 	 * For the non-arp interface, we don't write L2 HDR.
 	 * Excluding PPPoE from this, since we are now supporting PPPoE encap/decap.
@@ -1674,10 +1678,14 @@
 		}
 	}
 
-	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_SRC_INTERFACE_CHECK) {
+	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_RETURN_SRC_INTERFACE_CHECK) {
 		reply_cm->flags |= SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK;
 	}
 
+	if (msg->rule_flags & SFE_RULE_CREATE_FLAG_RETURN_SRC_INTERFACE_CHECK_NO_FLUSH) {
+		reply_cm->flags |= SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH;
+	}
+
 	/*
 	 * For the non-arp interface, we don't write L2 HDR.
 	 * Excluding PPPoE from this, since we are now supporting PPPoE encap/decap.
diff --git a/sfe_ipv6.h b/sfe_ipv6.h
index b32de57..865a7e1 100644
--- a/sfe_ipv6.h
+++ b/sfe_ipv6.h
@@ -82,7 +82,7 @@
 #define SFE_IPV6_CONNECTION_MATCH_FLAG_INSERT_EGRESS_VLAN_TAG (1<<12)
 					/* Insert VLAN tag */
 #define SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK (1<<13)
-					/* Source interface check.*/
+					/* Source interface check */
 #define SFE_IPV6_CONNECTION_MATCH_FLAG_PASSTHROUGH (1<<14)
 					/* passthrough flow: encap/decap to be skipped for this flow */
 #define SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT (1<<15)
@@ -91,6 +91,8 @@
 					/* fast xmit checked or not*/
 #define SFE_IPV6_CONNECTION_MATCH_FLAG_FAST_XMIT_DEV_ADMISSION (1<<17)
 					/* Fast xmit may be possible for this flow, if SFE check passes */
+#define SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH (1<<18)
+					/* Source interface check but do not flush the connection */
 
 /*
  * IPv6 connection matching structure.
diff --git a/sfe_ipv6_gre.c b/sfe_ipv6_gre.c
index 1db0f6f..eae7d56 100644
--- a/sfe_ipv6_gre.c
+++ b/sfe_ipv6_gre.c
@@ -100,18 +100,21 @@
 	 * Source interface validate.
 	 */
 	if (unlikely((cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
-		struct sfe_ipv6_connection *c = cm->connection;
-		int ret;
-		spin_lock_bh(&si->lock);
-		ret = sfe_ipv6_remove_connection(si, c);
-		spin_unlock_bh(&si->lock);
+		if (!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH)) {
+			struct sfe_ipv6_connection *c = cm->connection;
+			int ret;
+			DEBUG_TRACE("flush on source interface check failure\n");
+			spin_lock_bh(&si->lock);
+			ret = sfe_ipv6_remove_connection(si, c);
+			spin_unlock_bh(&si->lock);
 
-		if (ret) {
-			sfe_ipv6_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			if (ret) {
+				sfe_ipv6_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			}
 		}
 		rcu_read_unlock();
 		sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_INVALID_SRC_IFACE);
-		DEBUG_TRACE("flush on wrong source interface check failure\n");
+		DEBUG_TRACE("exception the packet on source interface check failure\n");
 		return 0;
 	}
 
diff --git a/sfe_ipv6_tcp.c b/sfe_ipv6_tcp.c
index 5ae829c..e2f2cd8 100644
--- a/sfe_ipv6_tcp.c
+++ b/sfe_ipv6_tcp.c
@@ -197,17 +197,20 @@
 	 * Source interface validate.
 	 */
 	if (unlikely((cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
-		struct sfe_ipv6_connection *c = cm->connection;
-		spin_lock_bh(&si->lock);
-		ret = sfe_ipv6_remove_connection(si, c);
-		spin_unlock_bh(&si->lock);
+		if (!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH)) {
+			struct sfe_ipv6_connection *c = cm->connection;
+			DEBUG_TRACE("flush on source interface check failure\n");
+			spin_lock_bh(&si->lock);
+			ret = sfe_ipv6_remove_connection(si, c);
+			spin_unlock_bh(&si->lock);
 
-		if (ret) {
-			sfe_ipv6_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			if (ret) {
+				sfe_ipv6_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			}
 		}
 		rcu_read_unlock();
 		sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_INVALID_SRC_IFACE);
-		DEBUG_TRACE("flush on wrong source interface check failure\n");
+		DEBUG_TRACE("exception the packet on source interface check failure\n");
 		return 0;
 	}
 
diff --git a/sfe_ipv6_udp.c b/sfe_ipv6_udp.c
index 08263bd..0afa6f3 100644
--- a/sfe_ipv6_udp.c
+++ b/sfe_ipv6_udp.c
@@ -207,17 +207,20 @@
 	 * Source interface validate.
 	 */
 	if (unlikely((cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK) && (cm->match_dev != dev))) {
-		struct sfe_ipv6_connection *c = cm->connection;
-		spin_lock_bh(&si->lock);
-		ret = sfe_ipv6_remove_connection(si, c);
-		spin_unlock_bh(&si->lock);
+		if (!(cm->flags & SFE_IPV6_CONNECTION_MATCH_FLAG_SRC_INTERFACE_CHECK_NO_FLUSH)) {
+			struct sfe_ipv6_connection *c = cm->connection;
+			DEBUG_TRACE("flush on source interface check failure\n");
+			spin_lock_bh(&si->lock);
+			ret = sfe_ipv6_remove_connection(si, c);
+			spin_unlock_bh(&si->lock);
 
-		if (ret) {
-			sfe_ipv6_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			if (ret) {
+				sfe_ipv6_flush_connection(si, c, SFE_SYNC_REASON_FLUSH);
+			}
 		}
 		rcu_read_unlock();
 		sfe_ipv6_exception_stats_inc(si, SFE_IPV6_EXCEPTION_EVENT_INVALID_SRC_IFACE);
-		DEBUG_TRACE("flush on wrong source interface check failure\n");
+		DEBUG_TRACE("exception the packet on source interface check failure\n");
 		return 0;
 	}