Fix defunct process after flushing DNS cache.

When we flush the DNS cache by calling resolvectl, we should wait for
the process to finish. This ensures that the cache is actually flushed
and prevents the process from showing up as defunct when processes are
listed.

sshuttle/firewall.py

@@ -9,7 +9,7 @@ import subprocess as ssubprocess
 
 import sshuttle.ssyslog as ssyslog
 import sshuttle.helpers as helpers
-from sshuttle.helpers import debug1, debug2, Fatal
+from sshuttle.helpers import log, debug1, debug2, Fatal
 from sshuttle.methods import get_auto_method, get_method
 
 HOSTSFILE = '/etc/hosts'
@@ -108,17 +108,25 @@ def flush_systemd_dns_cache():
     # resolvectl in systemd 239.
     # https://github.com/systemd/systemd/blob/f8eb41003df1a4eab59ff9bec67b2787c9368dbd/NEWS#L3816
 
+    p = None
     if helpers.which("resolvectl"):
         debug2("Flushing systemd's DNS resolver cache: "
                "resolvectl flush-caches")
-        ssubprocess.Popen(["resolvectl", "flush-caches"],
+        p = ssubprocess.Popen(["resolvectl", "flush-caches"],
                               stdout=ssubprocess.PIPE, env=helpers.get_env())
     elif helpers.which("systemd-resolve"):
         debug2("Flushing systemd's DNS resolver cache: "
                "systemd-resolve --flush-caches")
-        ssubprocess.Popen(["systemd-resolve", "--flush-caches"],
+        p = ssubprocess.Popen(["systemd-resolve", "--flush-caches"],
                               stdout=ssubprocess.PIPE, env=helpers.get_env())
 
+    if p:
+        # Wait so flush is finished and process doesn't show up as defunct.
+        rv = p.wait()
+        if rv != 0:
+            log("Received non-zero return code %d when flushing DNS resolver "
+                "cache." % rv)
+
 
 # This is some voodoo for setting up the kernel's transparent
 # proxying stuff.  If subnets is empty, we just delete our sshuttle rules;