diff --git a/integrationnetconfig_test.go b/integrationnetconfig_test.go
index 63e4fb9..e63bd63 100644
--- a/integrationnetconfig_test.go
+++ b/integrationnetconfig_test.go
@@ -106,6 +106,13 @@ func TestNetconfig(t *testing.T) {
 			t.Fatalf("netconfig.Apply: %v", err)
 		}
 
+		// Apply twice to ensure the absence of errors when dealing with
+		// already-configured interfaces, addresses, routes, … (and ensure
+		// nftables rules are replaced, not appendend to).
+		if err := netconfig.Apply(tmp, filepath.Join(tmp, "root")); err != nil {
+			t.Fatalf("netconfig.Apply: %v", err)
+		}
+
 		b, err := ioutil.ReadFile(filepath.Join(tmp, "root", "etc", "resolv.conf"))
 		if err != nil {
 			t.Fatal(err)
diff --git a/internal/netconfig/netconfig.go b/internal/netconfig/netconfig.go
index 5101b32..68e8867 100644
--- a/internal/netconfig/netconfig.go
+++ b/internal/netconfig/netconfig.go
@@ -142,8 +142,8 @@ func applyDhcp6(dir string) error {
 			return err
 		}
 
-		if err := netlink.AddrAdd(link, addr); err != nil {
-			return fmt.Errorf("AddrAdd(%v): %v", addr, err)
+		if err := netlink.AddrReplace(link, addr); err != nil {
+			return fmt.Errorf("AddrReplace(%v): %v", addr, err)
 		}
 	}
 	return nil
@@ -359,7 +359,7 @@ func applyPortForwardings(dir string, c *nftables.Conn, nat *nftables.Table, pre
 func applyFirewall(dir string) error {
 	c := &nftables.Conn{}
 
-	// TODO: currently, each iteration adds a nftables.Rule — clear before?
+	c.FlushRuleset()
 
 	nat := c.AddTable(&nftables.Table{
 		Family: nftables.TableFamilyIPv4,