From 544aa0a088068cbc20737dda3409f5a54bac20ff Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Tue, 30 Jan 2024 12:37:14 +0100
Subject: [PATCH] firewall: create empty ipsets for known networks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

So we don’t crash and burn before config is set up.
---
 roles/firewall/tasks/nftables.yml        | 1 +
 roles/firewall/templates/nftables.nft.j2 | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/roles/firewall/tasks/nftables.yml b/roles/firewall/tasks/nftables.yml
index c39ce32..a80ec6f 100644
--- a/roles/firewall/tasks/nftables.yml
+++ b/roles/firewall/tasks/nftables.yml
@@ -16,6 +16,7 @@
     mode: 0644
   loop:
     - interfaces.nft
+    - networks.nft
   notify: reload nftables
 
 - name: Enable nftables service
diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2
index e380646..0c3f0dc 100644
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@@ -5,6 +5,7 @@ flush ruleset
 
 table inet filter {
     include "/etc/nftables.d/interfaces.nft"
+    include "/etc/nftables.d/networks.nft"
     include "/etc/nftables.d/sets.nft*"
 
     set link {
@@ -92,6 +93,7 @@ table inet filter {
 
 table ip nat {
     include "/etc/nftables.d/interfaces.nft"
+    include "/etc/nftables.d/networks.nft"
     include "/etc/nftables.d/sets.nft*"
     include "/etc/nftables.d/netmap.nft*"