From 03b2345eb23fd18b1ba64bd6e2ecb02565481331 Mon Sep 17 00:00:00 2001
From: Michael Stapelberg <stapelberg@google.com>
Date: Thu, 14 Jun 2018 08:27:08 +0200
Subject: [PATCH] netconfig: flush nftables ruleset, replace DHCPv6 address

---
 integrationnetconfig_test.go    | 7 +++++++
 internal/netconfig/netconfig.go | 6 +++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/integrationnetconfig_test.go b/integrationnetconfig_test.go
index 63e4fb9..e63bd63 100644
--- a/integrationnetconfig_test.go
+++ b/integrationnetconfig_test.go
@@ -106,6 +106,13 @@ func TestNetconfig(t *testing.T) {
 			t.Fatalf("netconfig.Apply: %v", err)
 		}
 
+		// Apply twice to ensure the absence of errors when dealing with
+		// already-configured interfaces, addresses, routes, … (and ensure
+		// nftables rules are replaced, not appendend to).
+		if err := netconfig.Apply(tmp, filepath.Join(tmp, "root")); err != nil {
+			t.Fatalf("netconfig.Apply: %v", err)
+		}
+
 		b, err := ioutil.ReadFile(filepath.Join(tmp, "root", "etc", "resolv.conf"))
 		if err != nil {
 			t.Fatal(err)
diff --git a/internal/netconfig/netconfig.go b/internal/netconfig/netconfig.go
index 5101b32..68e8867 100644
--- a/internal/netconfig/netconfig.go
+++ b/internal/netconfig/netconfig.go
@@ -142,8 +142,8 @@ func applyDhcp6(dir string) error {
 			return err
 		}
 
-		if err := netlink.AddrAdd(link, addr); err != nil {
-			return fmt.Errorf("AddrAdd(%v): %v", addr, err)
+		if err := netlink.AddrReplace(link, addr); err != nil {
+			return fmt.Errorf("AddrReplace(%v): %v", addr, err)
 		}
 	}
 	return nil
@@ -359,7 +359,7 @@ func applyPortForwardings(dir string, c *nftables.Conn, nat *nftables.Table, pre
 func applyFirewall(dir string) error {
 	c := &nftables.Conn{}
 
-	// TODO: currently, each iteration adds a nftables.Rule — clear before?
+	c.FlushRuleset()
 
 	nat := c.AddTable(&nftables.Table{
 		Family: nftables.TableFamilyIPv4,