Upgrade baseline to Debian 10.

1 files changed, 7 insertions, 7 deletions

diff --git a/roles/common/files/usr/local/sbin/update-firewall b/roles/common/files/usr/local/sbin/update-firewall
index 957bdc1..4b3e5cf 100755
--- a/roles/common/files/usr/local/sbin/update-firewall
+++ b/roles/common/files/usr/local/sbin/update-firewall
@@ -22,13 +22,6 @@ cat <"$NFTABLES" >>"$script"
 ip netns add "nft-dryrun"
 netns="nft-dryrun"
 
-# clear sets in the old rules before diff'ing with the new ones
-nft list ruleset -sn >"$oldrules"
-ip netns exec "$netns" nft -f - <"$oldrules"
-ip netns exec "$netns" nft flush set inet filter fail2ban
-ip netns exec "$netns" nft flush set inet filter fail2ban6
-ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
-
 declare -a INTERFACES=()
 for iface in /sys/class/net/*; do
     idx="$(< "$iface/ifindex")"
@@ -42,6 +35,13 @@ for idx in "${!INTERFACES[@]}"; do
     ip netns exec "$netns" ip link add "${INTERFACES[idx]}" index "$idx" type dummy
 done
 
+# clear sets in the old rules before diff'ing with the new ones
+nft list ruleset -sn >"$oldrules"
+ip netns exec "$netns" nft -f - <"$oldrules"
+ip netns exec "$netns" nft flush set inet filter fail2ban  || true
+ip netns exec "$netns" nft flush set inet filter fail2ban6 || true
+ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
+
 ip netns exec "$netns" nft -f - <"$script"
 ip netns exec "$netns" nft list ruleset -sn >"$newrules"
 ip netns del "$netns"