Access to some networks is restricted and can only be assigned by
admin. These networks don’t have the VPN AD group defined.
So for these networks enable forwarding between VPN and physical
network if there are any WireGuard IPs registered.
For IPv6 addresses we cannot just compare string data, since we
register a whole subnet for each WG key. Also drop the active tunnel
check from list_custom endpoint.
Before we relied on the combined data being present in ipsets.json
when generating a new config, but ipsets.json is only updated through
the form at /ipsets. So submitting any other form after changing
NetBox definitions might crash when trying to find an entry from
networks.json in ipsets.json.
Now we introduce a helper functon to always read both files and
combine the prefixes fron networks.json with ipsets.json. This way it
is not necessary to save a new ipsets.json before other changes.
Also don’t crash when enumerating networks for each VPN group.
Custom keys are created by admin and specify networks directly,
bypassing AD permissions. They are intended to join managed devices
into networks where users are not allowed to create keys themselves.
Also comprehend a set directly.
Address rules by name instead of index. Still problematic if the rules
are changed while someone is managing them, but with names it’s
more likely to just not work instead of enabling or disabling the
wrong rule.
Also prevent bringing down the whole network with a single click.
I have tried every possible permutation and I think this is the one.
NetBox-managed IP prefixes are pushed with ansible to firewall master.
The managed prefixes are added to custom IP sets defined in the app,
but only NAT addresses and VPN groups can be configured for them.
This way all NAT and VPN policy is (again) configured in the app. Also
both NetBox-managed and user-defined networks are treated the same.
Also improve^Wtweak config generation. Also templates.
Though it might be better to allow multiple groups. On the other hand
the main filter is in the group→ipset settings file anyway; any VPN
user not in one of those groups will not get forwarded to anywhere.
Push them to firewall nodes with ansible instead, as they will only
change in NetBox. Also don’t mess around with ipset “groups” based on
hyphenation, which was probably a bad idea.
With more data included in NetBox I am thinking we should configure
NAT and other stuff with ansible also, but let’s start small.
