From 083bbfaebfe094d52e5125172aedd12c6ac4a958 Mon Sep 17 00:00:00 2001
From: Gaurav Goyal <gaurav.goyal@4rf.com>
Date: Thu, 11 Mar 2021 13:49:12 +1300
Subject: [PATCH] nhrpd: Close IPSec connection when tunnel protection removed

Signed-off-by: Reuben Dowle <reuben.dowle@4rf.com>
---
 nhrpd/nhrp_interface.c |  6 ++++++
 nhrpd/nhrp_nhs.c       |  3 ++-
 nhrpd/nhrpd.h          |  3 ++-
 nhrpd/vici.c           | 12 ++++++++----
 4 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/nhrpd/nhrp_interface.c b/nhrpd/nhrp_interface.c
index f86dbe3d29..a328a91b18 100644
--- a/nhrpd/nhrp_interface.c
+++ b/nhrpd/nhrp_interface.c
@@ -465,11 +465,17 @@ void nhrp_interface_set_protection(struct interface *ifp, const char *profile,
 	struct nhrp_interface *nifp = ifp->info;
 
 	if (nifp->ipsec_profile)
+	{
+		vici_terminate_vc_by_profile_name(nifp->ipsec_profile);
 		free(nifp->ipsec_profile);
+	}
 	nifp->ipsec_profile = profile ? strdup(profile) : NULL;
 
 	if (nifp->ipsec_fallback_profile)
+	{
+		vici_terminate_vc_by_profile_name(nifp->ipsec_fallback_profile);
 		free(nifp->ipsec_fallback_profile);
+	}
 	nifp->ipsec_fallback_profile =
 		fallback_profile ? strdup(fallback_profile) : NULL;
 
diff --git a/nhrpd/nhrp_nhs.c b/nhrpd/nhrp_nhs.c
index 31f20c0677..2a871ee089 100644
--- a/nhrpd/nhrp_nhs.c
+++ b/nhrpd/nhrp_nhs.c
@@ -122,7 +122,8 @@ static int nhrp_reg_timeout(struct thread *t)
 		if(r->peer && r->peer->vc && r->peer->vc->ike_uniqueid)
 		{
 			debugf(NHRP_DEBUG_COMMON, "Terminating IPSec Connection for %d\n", r->peer->vc->ike_uniqueid);
-			vici_terminate_vc(r->peer->vc->ike_uniqueid);
+			vici_terminate_vc_by_ike_id(r->peer->vc->ike_uniqueid);
+			r->peer->vc->ike_uniqueid = 0;
 		}
 		r->timeout = 2;
 	}
diff --git a/nhrpd/nhrpd.h b/nhrpd/nhrpd.h
index 37a9e338cd..66ca1eabfd 100644
--- a/nhrpd/nhrpd.h
+++ b/nhrpd/nhrpd.h
@@ -400,7 +400,8 @@ void nhrp_vc_reset(void);
 
 void vici_init(void);
 void vici_terminate(void);
-void vici_terminate_vc(unsigned int ike_id);
+void vici_terminate_vc_by_profile_name(char *profile_name);
+void vici_terminate_vc_by_ike_id(unsigned int ike_id);
 void vici_request_vc(const char *profile, union sockunion *src,
 		     union sockunion *dst, int prio);
 
diff --git a/nhrpd/vici.c b/nhrpd/vici.c
index 2b5e0e56ca..cce3947ee0 100644
--- a/nhrpd/vici.c
+++ b/nhrpd/vici.c
@@ -522,14 +522,18 @@ void vici_terminate(void)
 {
 }
 
-void vici_terminate_vc(unsigned int ike_id)
+void vici_terminate_vc_by_profile_name(char *profile_name)
+{
+	struct vici_conn *vici = &vici_connection;
+	vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike",
+		    strlen(profile_name), profile_name, VICI_END);
+}
+
+void vici_terminate_vc_by_ike_id(unsigned int ike_id)
 {
 	struct vici_conn *vici = &vici_connection;
 	char ike_id_str[10]={0};
 	snprintf(ike_id_str, sizeof(ike_id_str), "%d", ike_id);
-	debugf(NHRP_DEBUG_VICI,"ike_id_str = %s", ike_id_str);
-
-
 	vici_submit_request(vici, "terminate", VICI_KEY_VALUE, "ike-id",
 		    strlen(ike_id_str), ike_id_str, VICI_END);
 }
-- 
2.39.5