firewall: allow connections from master with NATted IP

2024-02-06 09:19:49 +01:00 · 2024-02-06 09:19:49 +01:00 · 91afaec9c2
commit 91afaec9c2
parent f54b23f49a
1 changed files with 9 additions and 2 deletions
--- a/roles/firewall/templates/nftables.nft.j2
+++ b/roles/firewall/templates/nftables.nft.j2
@ -25,8 +25,15 @@ table inet filter {
        iif mgmt tcp dport ssh accept \
        comment "Accept SSH from management VRF"

-        tcp dport ssh ip saddr {{ hostvars[master]['ansible_host'] }} accept \
-        comment "Accept SSH from firewall master"
+        # allow SSH connections from firewall master’s IPs
+{% for iface in hostvars[master].interfaces %}
+{% for address in iface.ip_addresses | selectattr('family.value', '==', 4) %}
+        tcp dport ssh {{ 'ip' if address.family.value == 4 else 'ip6' }} saddr {{ address.address | ipaddr('address')  }} accept
+{% for nat_address in address.nat_outside %}
+        tcp dport ssh ip saddr {{ nat_address.address | ipaddr('address') }} accept
+{% endfor %}
+{% endfor %}
+{% endfor %}

        iif @link tcp dport bgp ip6 saddr fe80::/10 accept \
        comment "Accept link-local BGP on fabric links"