summaryrefslogtreecommitdiffstats
path: root/roles/common/files/usr/local/sbin/update-firewall
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2020-05-16 02:52:55 +0200
committerGuilhem Moulin <guilhem@fripost.org>2020-05-16 05:45:59 +0200
commitbac7811d2b35252b7a83a45d75bb344b4b1776a9 (patch)
tree02176a15d570cab6dbd55b52b6df5c7b7b0538b1 /roles/common/files/usr/local/sbin/update-firewall
parentc4f24043baeccc95556fb9c3c032505ecadb5fbd (diff)
Upgrade baseline to Debian 10.
Diffstat (limited to 'roles/common/files/usr/local/sbin/update-firewall')
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall14
1 files changed, 7 insertions, 7 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall b/roles/common/files/usr/local/sbin/update-firewall
index 957bdc1..4b3e5cf 100755
--- a/roles/common/files/usr/local/sbin/update-firewall
+++ b/roles/common/files/usr/local/sbin/update-firewall
@@ -22,13 +22,6 @@ cat <"$NFTABLES" >>"$script"
ip netns add "nft-dryrun"
netns="nft-dryrun"
-# clear sets in the old rules before diff'ing with the new ones
-nft list ruleset -sn >"$oldrules"
-ip netns exec "$netns" nft -f - <"$oldrules"
-ip netns exec "$netns" nft flush set inet filter fail2ban
-ip netns exec "$netns" nft flush set inet filter fail2ban6
-ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
-
declare -a INTERFACES=()
for iface in /sys/class/net/*; do
idx="$(< "$iface/ifindex")"
@@ -42,6 +35,13 @@ for idx in "${!INTERFACES[@]}"; do
ip netns exec "$netns" ip link add "${INTERFACES[idx]}" index "$idx" type dummy
done
+# clear sets in the old rules before diff'ing with the new ones
+nft list ruleset -sn >"$oldrules"
+ip netns exec "$netns" nft -f - <"$oldrules"
+ip netns exec "$netns" nft flush set inet filter fail2ban || true
+ip netns exec "$netns" nft flush set inet filter fail2ban6 || true
+ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
+
ip netns exec "$netns" nft -f - <"$script"
ip netns exec "$netns" nft list ruleset -sn >"$newrules"
ip netns del "$netns"