From bac7811d2b35252b7a83a45d75bb344b4b1776a9 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Sat, 16 May 2020 02:52:55 +0200
Subject: Upgrade baseline to Debian 10.

---
 roles/common/files/usr/local/sbin/update-firewall | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'roles/common/files/usr/local/sbin/update-firewall')

diff --git a/roles/common/files/usr/local/sbin/update-firewall b/roles/common/files/usr/local/sbin/update-firewall
index 957bdc1..4b3e5cf 100755
--- a/roles/common/files/usr/local/sbin/update-firewall
+++ b/roles/common/files/usr/local/sbin/update-firewall
@@ -22,13 +22,6 @@ cat <"$NFTABLES" >>"$script"
 ip netns add "nft-dryrun"
 netns="nft-dryrun"
 
-# clear sets in the old rules before diff'ing with the new ones
-nft list ruleset -sn >"$oldrules"
-ip netns exec "$netns" nft -f - <"$oldrules"
-ip netns exec "$netns" nft flush set inet filter fail2ban
-ip netns exec "$netns" nft flush set inet filter fail2ban6
-ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
-
 declare -a INTERFACES=()
 for iface in /sys/class/net/*; do
     idx="$(< "$iface/ifindex")"
@@ -42,6 +35,13 @@ for idx in "${!INTERFACES[@]}"; do
     ip netns exec "$netns" ip link add "${INTERFACES[idx]}" index "$idx" type dummy
 done
 
+# clear sets in the old rules before diff'ing with the new ones
+nft list ruleset -sn >"$oldrules"
+ip netns exec "$netns" nft -f - <"$oldrules"
+ip netns exec "$netns" nft flush set inet filter fail2ban  || true
+ip netns exec "$netns" nft flush set inet filter fail2ban6 || true
+ip netns exec "$netns" nft list ruleset -sn >"$oldrules"
+
 ip netns exec "$netns" nft -f - <"$script"
 ip netns exec "$netns" nft list ruleset -sn >"$newrules"
 ip netns del "$netns"
-- 
cgit v1.2.3