rc/network
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

exit: import firewalls’ addresses into inside VRFs

Browse source 
Mostly so that the backup firewall is reachable from inside. Without
this, such traffic would be routed towards the active firewall and
dropped there.
This commit is contained in:
Timotej Lazar 2025-07-18 15:11:11 +02:00
parent 617e0689f1
commit 9b03b002f7
2 changed files with 23 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
filter_plugins/netbox.py
View file

@ -8,6 +8,7 @@ class FilterModule(object):
def filters(self): def filters(self):
return { return {
'compact_numlist': self.compact_numlist, 'compact_numlist': self.compact_numlist,
'device_address': self.device_address,
'iface_real': self.iface_real, 'iface_real': self.iface_real,
'iface_peer': self.iface_peer, 'iface_peer': self.iface_peer,
'iface_vlans': self.iface_vlans 'iface_vlans': self.iface_vlans
@ -27,6 +28,13 @@ class FilterModule(object):
i = j i = j
return delimiter.join(spans) return delimiter.join(spans)
def device_address(self, device):
'''Return loopback IP addresses for an L3 attached device'''
for iface in device['interfaces']:
for addr in iface['ip_addresses']:
if addr.get('role') and addr['role'].get('value') == 'loopback':
yield addr
def iface_real(self, interfaces): def iface_real(self, interfaces):
'''Return only non-virtual interfaces''' '''Return only non-virtual interfaces'''
for iface in interfaces: for iface in interfaces:

15
roles/exit/templates/frr.conf.j2
View file

@ -199,6 +199,17 @@ ipv6 prefix-list default permit ::/0
ip prefix-list fabric permit 10.34.0.0/24 ge 32 ip prefix-list fabric permit 10.34.0.0/24 ge 32
ipv6 prefix-list fabric permit 2001:1470:fffd:3400::/64 ge 128 ipv6 prefix-list fabric permit 2001:1470:fffd:3400::/64 ge 128
# prefix list for firewalls’ own addresses
{% for firewall in interfaces | selectattr('name', 'in', ifaces_firewall) | iface_peer %}
{% for address in hostvars[firewall] | device_address %}
{% if address.family.value == 4 %}
ip prefix-list firewall permit {{ address.address }}
{% else %}
ipv6 prefix-list firewall permit {{ address.address }}
{% endif %}
{% endfor %}
{% endfor %}
# prefix list for outside networks # prefix list for outside networks
{% for prefix in vrf_prefixes | selectattr('vrf.name', '==', 'outside') {% for prefix in vrf_prefixes | selectattr('vrf.name', '==', 'outside')
| sort(attribute='family.value') | sort(attribute='vlan.vid') %} | sort(attribute='family.value') | sort(attribute='vlan.vid') %}
@ -286,6 +297,10 @@ route-map office-import permit 10
match ip address prefix-list default match ip address prefix-list default
route-map office-import permit 11 route-map office-import permit 11
match ipv6 address prefix-list default match ipv6 address prefix-list default
route-map office-import permit 20
match ip address prefix-list firewall
route-map office-import permit 21
match ipv6 address prefix-list firewall
route-map inside-import permit 20 route-map inside-import permit 20
match ip address prefix-list office match ip address prefix-list office