From c3e35777e084dc65986ecd2856d372fe3903d53a Mon Sep 17 00:00:00 2001 From: Timotej Lazar Date: Mon, 18 Mar 2024 17:33:12 +0100 Subject: [PATCH] Do not configure prefixes defined in NetBox MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Push them to firewall nodes with ansible instead, as they will only change in NetBox. Also don’t mess around with ipset “groups” based on hyphenation, which was probably a bad idea. With more data included in NetBox I am thinking we should configure NAT and other stuff with ansible also, but let’s start small. --- web/system.py | 18 +++--------------- 1 file changed, 3 insertions(+), 15 deletions(-) diff --git a/web/system.py b/web/system.py index a5e130c..8d2d699 100644 --- a/web/system.py +++ b/web/system.py @@ -42,15 +42,6 @@ def run(fun, args=()): fun(*args) multiprocessing.Process(target=task).start() -# For a network named 'xyzzy-foo', return xyzzy. Used for creating -# ipsets for office-* and server-* networks. -def network_group(name): - match name.split('-'): - case group, _: - return group - case _: - return None - def ipset_add(ipsets, name, ip=None, ip6=None): ipsets[name].update(ip or ()) ipsets[f'{name}/6'].update(ip6 or ()) @@ -95,11 +86,10 @@ def save_config(): # Populate IP sets. ipsets = collections.defaultdict(set) + # Sets corresponding to VLANs in NetBox. Prefixes for these sets are configured on firewall nodes with ansible. for name, network in db.read('networks').items(): - if group := network_group(name): - ipset_add(ipsets, group, network.get('ip'), network.get('ip6')) - ipset_add(ipsets, name, network.get('ip'), network.get('ip6')) - + ipset_add(ipsets, name) + # Sets defined by user in friwall app. for name, network in db.read('ipsets').items(): ipset_add(ipsets, name, network.get('ip'), network.get('ip6')) @@ -110,8 +100,6 @@ def save_config(): ip4 = [f'{ip}/32'] ip6 = [f'{key["ip6"]}'] if key.get('ip6') else None for network in user_networks.get(key.get('user', ''), ()): - if group := network_group(network): - ipset_add(ipsets, group, ip4, ip6) ipset_add(ipsets, network, ip4, ip6) # Create config files.