From c2d0e8899678c267eac4eefa74dd866e497a7b9a Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 13 Dec 2023 19:03:35 +0100
Subject: [PATCH] firewall: set IPv6 address for wireguard interface

And advertise it.
---
 roles/firewall/templates/frr.conf.j2 | 18 +++++++++++++++---
 roles/firewall/templates/wg.intf.j2  |  5 +++++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/roles/firewall/templates/frr.conf.j2 b/roles/firewall/templates/frr.conf.j2
index eccf513..e92f2bf 100644
--- a/roles/firewall/templates/frr.conf.j2
+++ b/roles/firewall/templates/frr.conf.j2
@@ -96,7 +96,12 @@ ipv6 prefix-list office permit {{ prefix.prefix }} ge 64
 {% endfor %}
 {% endfor %}
 
+{% if wg_net is defined %}
 ip prefix-list vpn permit {{ wg_net | ipaddr('subnet') }}
+{% endif %}
+{% if wg_net6 is defined %}
+ipv6 prefix-list vpn permit {{ wg_net6 | ipaddr('subnet') }}
+{% endif %}
 
 {% for network in nat %}
 ip prefix-list nat permit {{ network }}
@@ -106,8 +111,10 @@ ip prefix-list nat permit {{ wg_ip }}
 
 route-map loopback permit 1
   match interface lo
+route-map loopback permit 2
+  match interface wg
 
-# Get routes to offices and VPN users on other firewalls from inside peers.
+# Get routes to offices from inside peers.
 route-map inside->default permit 10
   match ip address prefix-list fabric
 route-map inside->default permit 20
@@ -122,8 +129,11 @@ route-map default->inside permit 20
   match ip address prefix-list default
 route-map default->inside permit 21
   match ipv6 address prefix-list default
-route-map default->inside permit 30
-  match ip address prefix-list vpn
+# I don’t think these /need/ to be announced separately since we are sending the default route anyway.
+#route-map default->inside permit 30
+#  match ip address prefix-list vpn
+#route-map default->inside permit 31
+#  match ipv6 address prefix-list vpn
 
 # Get default route from outside peers.
 route-map outside->default permit 10
@@ -139,3 +149,5 @@ route-map default->outside permit 11
   match ipv6 address prefix-list office
 route-map default->outside permit 20
   match ip address prefix-list nat
+route-map default->outside permit 31
+  match ipv6 address prefix-list vpn
diff --git a/roles/firewall/templates/wg.intf.j2 b/roles/firewall/templates/wg.intf.j2
index 6c295cc..266eef8 100644
--- a/roles/firewall/templates/wg.intf.j2
+++ b/roles/firewall/templates/wg.intf.j2
@@ -1,4 +1,9 @@
 auto wg
 iface wg inet static
     use wireguard
+{% if wg_net is defined %}
     address {{ wg_net }}
+{% endif %}
+{% if wg_net6 is defined %}
+    address {{ wg_net6 }}
+{% endif %}