From 91afaec9c2d3433dfe93825bcd12462bf73090fe Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Tue, 6 Feb 2024 09:19:49 +0100
Subject: [PATCH] firewall: allow connections from master with NATted IP

---
 roles/firewall/templates/nftables.nft.j2 | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/roles/firewall/templates/nftables.nft.j2 b/roles/firewall/templates/nftables.nft.j2
index 0c3f0dc..060c1bc 100644
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@@ -25,8 +25,15 @@ table inet filter {
         iif mgmt tcp dport ssh accept \
         comment "Accept SSH from management VRF"
 
-        tcp dport ssh ip saddr {{ hostvars[master]['ansible_host'] }} accept \
-        comment "Accept SSH from firewall master"
+        # allow SSH connections from firewall master’s IPs
+{% for iface in hostvars[master].interfaces %}
+{% for address in iface.ip_addresses | selectattr('family.value', '==', 4) %}
+        tcp dport ssh {{ 'ip' if address.family.value == 4 else 'ip6' }} saddr {{ address.address | ipaddr('address')  }} accept
+{% for nat_address in address.nat_outside %}
+        tcp dport ssh ip saddr {{ nat_address.address | ipaddr('address') }} accept
+{% endfor %}
+{% endfor %}
+{% endfor %}
 
         iif @link tcp dport bgp ip6 saddr fe80::/10 accept \
         comment "Accept link-local BGP on fabric links"