ip routes for ip intercepts are not removed when identity is disabled

[qrkourier]

Expectation: disabling identity removes routes for IP address intercepts

Observation: IP routes for intercept IPs are not removed

Workaround: It is necessary to stop the ziti-edge-tunnel run process to access the intercepted IPs

I'm using ziti-edge-tunnel run on my Linux workstation to access a remote subnet with Ziti. The intercept IP range is 192.168.2.0/24, and so I am unable to route packets to that destination while ZET is running, even when the Ziti identity is disabled.

[qrkourier]

 ❯ /opt/openziti/bin/ziti-edge-tunnel version
v0.21.0-local

 ❯ ziti-edge-tunnel tunnel_status|sed -E 's/(^received\sresponse\s<|>$)//g'|jq '.Data.Identities|length'
6

I verified that the IP intercept address is unique to the disabled identity's dial authorizations.

[qrkourier]

 ❯ ziti-edge-tunnel tunnel_status|sed -E 's/(^received\sresponse\s<|>$)//g'|jq '.Data.Identities[]|select(.Identifier == "/opt/openziti/etc/identities/oryp4.haus.qrk.us.json")|.Active'
false

 ❯ ip route get 192.168.2.252
192.168.2.252 dev tun0 src 100.64.0.1 uid 1000 
    cache 

[qrkourier]

These messages were emitted at the moment the identity was successfully disabled.

May 04 13:31:51 kpop4 ziti-edge-tunnel[3209]: (3209)[    17724.980]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:641 on_cmd() received cmd <{"Command":"IdentityOnOff","Data":{"Identifier":"/opt/openziti/etc/identities/oryp4.haus.qrk.us.json","OnOff":false}}>
May 04 13:31:51 kpop4 ziti-edge-tunnel[3209]: (3209)[    17724.980]    INFO ziti-edge-tunnel:ziti-edge-tunnel.c:227 on_command_resp() resp[1,len=150] = {"Success":true,"Data":{"Command":"IdentityOnOff","Data":{"Identifier":"/opt/openziti/etc/identities/oryp4.haus.qrk.us.json","OnOff":false}},"Code":0}

[qrkourier]

I was unable to reproduce this with ZET 0.22.20