summaryrefslogtreecommitdiffstats
path: root/roles/common/files/usr/local/sbin/update-firewall
diff options
context:
space:
mode:
Diffstat (limited to 'roles/common/files/usr/local/sbin/update-firewall')
-rwxr-xr-xroles/common/files/usr/local/sbin/update-firewall14
1 files changed, 7 insertions, 7 deletions
diff --git a/roles/common/files/usr/local/sbin/update-firewall b/roles/common/files/usr/local/sbin/update-firewall
index 957bdc1..4b3e5cf 100755
--- a/roles/common/files/usr/local/sbin/update-firewall
+++ b/roles/common/files/usr/local/sbin/update-firewall
@@ -22,13 +22,6 @@ cat <"$NFTABLES" >>"$script"
ip netns add "nft-dryrun"
netns="nft-dryrun"
-# clear sets in the old rules before diff'ing with the new ones
-nft list ruleset -sn >"$oldrules"
-ip netns exec "$netns" nft -f - <"$oldrules"
-ip netns exec "$netns" nft flush set inet filter fail2ban
-ip netns exec "$netns" nft flush set inet filter fail2ban6
-ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
-
declare -a INTERFACES=()
for iface in /sys/class/net/*; do
idx="$(< "$iface/ifindex")"
@@ -42,6 +35,13 @@ for idx in "${!INTERFACES[@]}"; do
ip netns exec "$netns" ip link add "${INTERFACES[idx]}" index "$idx" type dummy
done
+# clear sets in the old rules before diff'ing with the new ones
+nft list ruleset -sn >"$oldrules"
+ip netns exec "$netns" nft -f - <"$oldrules"
+ip netns exec "$netns" nft flush set inet filter fail2ban || true
+ip netns exec "$netns" nft flush set inet filter fail2ban6 || true
+ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
+
ip netns exec "$netns" nft -f - <"$script"
ip netns exec "$netns" nft list ruleset -sn >"$newrules"
ip netns del "$netns"