exit: import firewalls’ addresses into inside VRFs

Mostly so that the backup firewall is reachable from inside. Without
this, such traffic would be routed towards the active firewall and
dropped there.

roles/exit/templates/frr.conf.j2

@@ -199,6 +199,17 @@ ipv6 prefix-list default permit ::/0
 ip prefix-list fabric permit 10.34.0.0/24 ge 32
 ipv6 prefix-list fabric permit 2001:1470:fffd:3400::/64 ge 128
 
+# prefix list for firewalls’ own addresses
+{% for firewall in interfaces | selectattr('name', 'in', ifaces_firewall) | iface_peer %}
+{% for address in hostvars[firewall] | device_address %}
+{% if address.family.value == 4 %}
+ip prefix-list firewall permit {{ address.address }}
+{% else %}
+ipv6 prefix-list firewall permit {{ address.address }}
+{% endif %}
+{% endfor %}
+{% endfor %}
+
 # prefix list for outside networks
 {% for prefix in vrf_prefixes | selectattr('vrf.name', '==', 'outside')
     | sort(attribute='family.value') | sort(attribute='vlan.vid') %}
@@ -286,6 +297,10 @@ route-map office-import permit 10
   match ip address prefix-list default
 route-map office-import permit 11
   match ipv6 address prefix-list default
+route-map office-import permit 20
+  match ip address prefix-list firewall
+route-map office-import permit 21
+  match ipv6 address prefix-list firewall
 
 route-map inside-import permit 20
   match ip address prefix-list office