From bac7811d2b35252b7a83a45d75bb344b4b1776a9 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sat, 16 May 2020 02:52:55 +0200 Subject: Upgrade baseline to Debian 10. --- roles/common/files/usr/local/sbin/update-firewall | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'roles/common/files/usr/local/sbin/update-firewall') diff --git a/roles/common/files/usr/local/sbin/update-firewall b/roles/common/files/usr/local/sbin/update-firewall index 957bdc1..4b3e5cf 100755 --- a/roles/common/files/usr/local/sbin/update-firewall +++ b/roles/common/files/usr/local/sbin/update-firewall @@ -22,13 +22,6 @@ cat <"$NFTABLES" >>"$script" ip netns add "nft-dryrun" netns="nft-dryrun" -# clear sets in the old rules before diff'ing with the new ones -nft list ruleset -sn >"$oldrules" -ip netns exec "$netns" nft -f - <"$oldrules" -ip netns exec "$netns" nft flush set inet filter fail2ban -ip netns exec "$netns" nft flush set inet filter fail2ban6 -ip netns exec "$netns" nft list ruleset -sn >"$oldrules" - declare -a INTERFACES=() for iface in /sys/class/net/*; do idx="$(< "$iface/ifindex")" @@ -42,6 +35,13 @@ for idx in "${!INTERFACES[@]}"; do ip netns exec "$netns" ip link add "${INTERFACES[idx]}" index "$idx" type dummy done +# clear sets in the old rules before diff'ing with the new ones +nft list ruleset -sn >"$oldrules" +ip netns exec "$netns" nft -f - <"$oldrules" +ip netns exec "$netns" nft flush set inet filter fail2ban || true +ip netns exec "$netns" nft flush set inet filter fail2ban6 || true +ip netns exec "$netns" nft list ruleset -sn >"$oldrules" + ip netns exec "$netns" nft -f - <"$script" ip netns exec "$netns" nft list ruleset -sn >"$newrules" ip netns del "$netns" -- cgit v1.2.3