From e00131e93790eb045c006b28aad94c0aa0ca4cc6 Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Mon, 10 Oct 2022 11:22:09 +0200
Subject: [PATCH] Stop tunnels if they are not needed anymore due to verdict
 change

---
 firewall/interception.go | 8 ++++++++
 network/connection.go    | 1 +
 2 files changed, 9 insertions(+)

diff --git a/firewall/interception.go b/firewall/interception.go
index edace3e9..9fd32998 100644
--- a/firewall/interception.go
+++ b/firewall/interception.go
@@ -163,6 +163,14 @@ func resetAllConnectionVerdicts() {
 			// Apply privacy filter and check tunneling.
 			filterConnection(ctx, conn, nil)
 
+			// Stop existing SPN tunnel if not needed anymore.
+			if conn.Verdict.Active != network.VerdictRerouteToTunnel && conn.TunnelContext != nil {
+				err := conn.TunnelContext.StopTunnel()
+				if err != nil {
+					log.Debugf("filter: failed to stopped unneeded tunnel: %s", err)
+				}
+			}
+
 			// Save if verdict changed.
 			if conn.Verdict.Firewall != previousVerdict {
 				conn.Save()
diff --git a/network/connection.go b/network/connection.go
index e3b45ddf..e61d12fa 100644
--- a/network/connection.go
+++ b/network/connection.go
@@ -162,6 +162,7 @@ type Connection struct { //nolint:maligned // TODO: fix alignment
 	// connection is using.
 	TunnelContext interface {
 		GetExitNodeID() string
+		StopTunnel() error
 	}
 
 	// Internal is set to true if the connection is attributed as an