Initial commit, squashed

roles/firewall/templates/sysctl.conf.j2

@@ -0,0 +1,19 @@
+# We are router.
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1
+
+# But not for management interfaces.
+{% for iface in interfaces | selectattr('name', 'match', '^mgmt') %}
+net.ipv4.conf.{{ iface.name }}.forwarding = 0
+net.ipv6.conf.{{ iface.name }}.forwarding = 0
+{% endfor %}
+
+# Zebra docs recommend these.
+net.ipv6.conf.all.keep_addr_on_down = 1
+net.ipv6.route.skip_notify_on_dev_down = 1
+
+# Do not send ICMP redirects. Happens because firewall sees all office
+# networks coming from the same routers, and gets confused as to why
+# firewall is routing packets between them.
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0