From 7ef40234240f81ff37b3e1d02622af34d111f803 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Tue, 19 Mar 2024 09:46:26 +0100
Subject: [PATCH] firewall: add known IP ranges in network ipset definitions

This data should only change in NetBox, so no point deploying it from
firewall master. Sometimes the first approach is the best approach.
---
 roles/firewall/templates/networks.nft.j2 | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/roles/firewall/templates/networks.nft.j2 b/roles/firewall/templates/networks.nft.j2
index 8388ff9..a280c75 100644
--- a/roles/firewall/templates/networks.nft.j2
+++ b/roles/firewall/templates/networks.nft.j2
@@ -1,9 +1,18 @@
 {% for vlan in vlans %}
+{% set prefixes = query('netbox.netbox.nb_lookup', 'prefixes', api_filter='vlan_id='~vlan.id, raw_data=true) %}
+{% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map(attribute='prefix') %}
+{% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map(attribute='prefix') %}
 set {{ vlan.name }}  {
     type ipv4_addr; flags interval
+{% if prefixes4 %}
+    elements = { {{ prefixes4 | join(', ') }} }
+{% endif %}
 }
 set {{ vlan.name }}/6 {
     type ipv6_addr; flags interval
+{% if prefixes6 %}
+    elements = { {{ prefixes6 | join(', ') }} }
+{% endif %}
 }
 
 {% endfor %}