As noticed by tb@ pfkey_remove() does all the checks so the callers can
blindly call it.

-- 
:wq Claudio

Index: pfkey.c
===================================================================
RCS file: /cvs/src/usr.sbin/bgpd/pfkey.c,v
diff -u -p -r1.70 pfkey.c
--- pfkey.c	1 Oct 2024 18:28:17 -0000	1.70
+++ pfkey.c	1 Oct 2024 18:38:03 -0000
@@ -544,10 +544,8 @@ pfkey_md5sig_establish(struct auth_state
 		goto fail;
 
 	/* cleanup old flow if one was present */
-	if (as->established) {
-		if (pfkey_remove(as) == -1)
-			return (-1);
-	}
+	if (pfkey_remove(as) == -1)
+		return (-1);
 
 	as->established = 1;
 	as->method = auth->method;
@@ -613,10 +611,8 @@ pfkey_ipsec_establish(struct auth_state 
 	uint8_t satype = SADB_SATYPE_ESP;
 
 	/* cleanup first, unlike in the TCP MD5 case */
-	if (as->established) {
-		if (pfkey_remove(as) == -1)
-			return (-1);
-	}
+	if (pfkey_remove(as) == -1)
+		return (-1);
 
 	switch (auth->method) {
 	case AUTH_IPSEC_IKE_ESP:
@@ -774,22 +770,15 @@ int
 pfkey_establish(struct auth_state *as, struct auth_config *auth, 
     const struct bgpd_addr *local_addr, const struct bgpd_addr *remote_addr)
 {
-	int rv;
-
 	switch (auth->method) {
 	case AUTH_NONE:
-		rv = 0;
-		if (as->established)
-			rv = pfkey_remove(as);
-		break;
+		return pfkey_remove(as);
 	case AUTH_MD5SIG:
-		rv = pfkey_md5sig_establish(as, auth, local_addr, remote_addr);
-		break;
+		return pfkey_md5sig_establish(as, auth, local_addr,
+		    remote_addr);
 	default:
-		rv = pfkey_ipsec_establish(as, auth, local_addr, remote_addr);
-		break;
+		return pfkey_ipsec_establish(as, auth, local_addr, remote_addr);
 	}
-	return (rv);
 }
 
 int