nixos/firewall: clean up rpfilter rules properly

The rpfilter rules wouldn't be removed if it was previously enabled
but disabled in a new generation.

nixos/modules/services/networking/firewall.nix

@@ -114,14 +114,15 @@ let
     # The "nixos-fw" chain does the actual work.
     ip46tables -N nixos-fw
 
-    # Perform a reverse-path test to refuse spoofers
-    # For now, we just drop, as the raw table doesn't have a log-refuse yet
-    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
-      # Clean up rpfilter rules
-      ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
-      ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
-      ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
+    # Clean up rpfilter rules
+    ip46tables -t raw -D PREROUTING -j nixos-fw-rpfilter 2> /dev/null || true
+    ip46tables -t raw -F nixos-fw-rpfilter 2> /dev/null || true
+    ip46tables -t raw -X nixos-fw-rpfilter 2> /dev/null || true
 
+    ${optionalString (kernelHasRPFilter && (cfg.checkReversePath != false)) ''
+      # Perform a reverse-path test to refuse spoofers
+      # For now, we just drop, as the raw table doesn't have a log-refuse yet
+      ip46tables -t raw -N nixos-fw-rpfilter 2> /dev/null || true
       ip46tables -t raw -A nixos-fw-rpfilter -m rpfilter ${optionalString (cfg.checkReversePath == "loose") "--loose"} -j RETURN
 
       # Allows this host to act as a DHCPv4 server