rc/network
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

firewall: add known IP ranges in network ipset definitions

Browse source 
This data should only change in NetBox, so no point deploying it from
firewall master. Sometimes the first approach is the best approach.
This commit is contained in:
Timotej Lazar 2024-03-19 09:46:26 +01:00
parent aa82e5aa18
commit 7ef4023424
1 changed files with 9 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

9
roles/firewall/templates/networks.nft.j2
View file

@ -1,9 +1,18 @@
{% for vlan in vlans %}
{% set prefixes = query('netbox.netbox.nb_lookup', 'prefixes', api_filter='vlan_id='~vlan.id, raw_data=true) %}
{% set prefixes4 = prefixes | selectattr('family.value', '==', 4) | map(attribute='prefix') %}
{% set prefixes6 = prefixes | selectattr('family.value', '==', 6) | map(attribute='prefix') %}
set {{ vlan.name }} {
type ipv4_addr; flags interval
{% if prefixes4 %}
elements = { {{ prefixes4 | join(', ') }} }
{% endif %}
}
set {{ vlan.name }}/6 {
type ipv6_addr; flags interval
{% if prefixes6 %}
elements = { {{ prefixes6 | join(', ') }} }
{% endif %}
}
{% endfor %}