|
@@ -47,6 +47,14 @@ network_hooks() {
|
|
|
fi
|
|
|
}
|
|
|
|
|
|
+conntrack_purge () {
|
|
|
+ local 'n=(0|[1-9][0-9]*)' output deleted msg
|
|
|
+ msg='flow entries have been deleted\.$'
|
|
|
+ deleted="^conntrack v$n\\.$n\\.$n \\(conntrack-tools\\): $n $msg"
|
|
|
+ output=$(LC_ALL=C exec conntrack -D "$@" 2>&1 >/dev/null) || :
|
|
|
+ [[ "$output" =~ $deleted ]]
|
|
|
+}
|
|
|
+
|
|
|
ipt_arg=
|
|
|
if "iptables-restore" --help 2>&1 | grep -q wait=; then
|
|
|
# 'wait' must be last on command line if secs not specified
|
|
@@ -146,6 +154,10 @@ if [ "${ip}" ]; then
|
|
|
ip -- neighbour "${ipcmd}" to "${addr}" \
|
|
|
dev "${vif}" lladdr "$mac" nud permanent
|
|
|
fi
|
|
|
+ if ! conntrack_purge -s "$addr" || ! conntrack_purge -d "$addr"; then
|
|
|
+ printf 'Cannot purge stale conntrack entries for %q\n' "$addr">&2
|
|
|
+ exit 1
|
|
|
+ fi
|
|
|
done
|
|
|
# if no IPv6 is assigned, block all IPv6 traffic on that interface
|
|
|
if ! [[ "$ip" = *:* ]]; then
|