Consolidate NAT and VPN settings into IP sets

I have tried every possible permutation and I think this is the one.

NetBox-managed IP prefixes are pushed with ansible to firewall master.
The managed prefixes are added to custom IP sets defined in the app,
but only NAT addresses and VPN groups can be configured for them.

This way all NAT and VPN policy is (again) configured in the app. Also
both NetBox-managed and user-defined networks are treated the same.

Also improve^Wtweak config generation. Also templates.
This commit is contained in:
Timotej Lazar 2024-04-30 15:13:50 +02:00
parent cac7658566
commit d123db4e64
10 changed files with 154 additions and 162 deletions

View file

@ -15,18 +15,27 @@ def index():
return flask.Response('forbidden', status=403, mimetype='text/plain')
with db.locked():
ipsets = db.read('ipsets')
networks = db.read('networks')
if flask.request.method == 'POST':
form = flask.request.form
ipsets = {}
for name, ip, ip6 in zip(form.getlist('name'), form.getlist('ip'), form.getlist('ip6')):
if name and name not in networks:
ipsets[name] = {
'ip': ip.split(),
'ip6': ip6.split()
}
# read network data from NetBox, merge in custom definitions and dump the lot
ipsets = db.read('networks')
formdata = zip(*(flask.request.form.getlist(e) for e in ('name', 'ip', 'ip6', 'nat', 'vpn')))
for name, ip, ip6, nat, vpn in formdata:
# drop sets with empty names
if not name:
continue
# assign IPs for custom networks only
if name not in ipsets:
ipsets[name] = { 'ip': ip.split(), 'ip6': ip6.split() }
# assign NAT and VPN for all networks
ipsets[name] |= { 'nat': nat, 'vpn': vpn }
db.write('ipsets', ipsets)
system.run(system.save_config)
return flask.redirect(flask.url_for('ipsets.index'))
# read network data from NetBox and merge in custom definitions
ipsets = db.read('networks')
for name, data in db.read('ipsets').items():
# keep static IPs if there are any, otherwise set custom flag for this set
ipsets[name] = data | ipsets.get(name, {'custom': True})
return flask.render_template('ipsets/index.html', ipsets=ipsets)