Query prefixes once for all hosts

And group them into vrf_prefixes for VLAN networks and bgp_prefixes for
servers plugged directly into fabric.

This should reduce the number of queries to NetBox when configuring
firewalls and exit switches. Not sure but I think set_fact helps to
avoid queries (as opposed to setting group_vars).

roles/firewall/templates/nftables.nft.j2

@@ -81,13 +81,13 @@ table inet filter {
         comment "Forward DNAT traffic for servers and suchlike"
 
         # Forward IPv4 to/from VPN users in the same network.
-{% for vlan in vlans %}
-        iif @inside ip saddr @{{ vlan.name }} ip daddr @{{ vlan.name }} accept
+{% for vlan in vrf_prefixes | selectattr('family.value', '==', 4) | map(attribute='vlan.name') | unique %}
+        iif @inside ip saddr @{{ vlan }} ip daddr @{{ vlan }} accept
 {% endfor %}
 
         # Forward IPv6 to/from VPN users in the same network.
-{% for vlan in vlans %}
-        iif @inside ip6 saddr @{{ vlan.name }}/6 ip6 daddr @{{ vlan.name }}/6 accept
+{% for vlan in vrf_prefixes | selectattr('family.value', '==', 6) | map(attribute='vlan.name') | unique %}
+        iif @inside ip6 saddr @{{ vlan }}/6 ip6 daddr @{{ vlan }}/6 accept
 {% endfor %}
 
         include "/etc/nftables.d/forward.nft*"