From a8588c4e9c0a7b03de9888eb75be564db3fcad80 Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <athena@invisiblethingslab.com>
Date: Sun, 6 Dec 2020 12:55:51 -0500
Subject: [PATCH] Purge stale connection tracking entries

This ensures that a VM cannot use connection tracking entries created by
another VM.
---
 network/vif-route-qubes | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/network/vif-route-qubes b/network/vif-route-qubes
index 1cf43d2..d61f736 100755
--- a/network/vif-route-qubes
+++ b/network/vif-route-qubes
@@ -47,6 +47,14 @@ network_hooks() {
     fi
 }
 
+conntrack_purge () {
+    local 'n=(0|[1-9][0-9]*)' output deleted msg
+    msg='flow entries have been deleted\.$'
+    deleted="^conntrack v$n\\.$n\\.$n \\(conntrack-tools\\): $n $msg"
+    output=$(LC_ALL=C exec conntrack -D "$@" 2>&1 >/dev/null) || :
+    [[ "$output" =~ $deleted ]]
+}
+
 ipt_arg=
 if "iptables-restore" --help 2>&1 | grep -q wait=; then
     # 'wait' must be last on command line if secs not specified
@@ -146,6 +154,10 @@ if [ "${ip}" ]; then
             ip -- neighbour "${ipcmd}" to "${addr}" \
                 dev "${vif}" lladdr "$mac" nud permanent
         fi
+        if ! conntrack_purge -s "$addr" || ! conntrack_purge -d "$addr"; then
+            printf 'Cannot purge stale conntrack entries for %q\n' "$addr">&2
+            exit 1
+        fi
     done
     # if no IPv6 is assigned, block all IPv6 traffic on that interface
     if ! [[ "$ip" = *:* ]]; then