rc/network
5
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

exit: store VLAN interface addresses in NetBox

Browse source 
… instead of generating them from prefixes. A NetBox script can be
used to create and configure all necessary data for a new VLAN.

Instead of VLAN roles “inside" and “outside” we now create separate
VRFs for inside VLANs to match the actual exit/firewall configuration.
The “outside” VRF is for all VLANs that are directly accessible from
the internet.
This commit is contained in:
Timotej Lazar 2024-04-10 14:03:50 +02:00
parent ece3b8a377
commit db397cb2b1
7 changed files with 32 additions and 51 deletions
Download patch file Download diff file Expand all files Collapse all files

36
roles/exit/templates/networks.intf.j2
View file

@ -1,35 +1,11 @@
{# Note that there must be exactly one VLAN-aware bridge. #}
{% set bridge = interfaces | selectattr('type') | selectattr('type.value', '==', 'bridge') | first %}
{% set bridge_vlans = vlans | selectattr('vid', 'in', bridge.tagged_vlans | map(attribute='vid')) -%}
{# VRF outside is special, all others are inside but also firewalled from each other. #}
{% set inside_vrfs = interfaces | selectattr('parent') | selectattr('parent.name', '==', 'bridge')
| selectattr('vrf') | map(attribute='vrf') | rejectattr('name', '==', 'outside') -%}
# A separate VRF for each inside network so we can firewall between them.
{% for vlan in bridge_vlans | selectattr('role.slug', '==', 'inside') %}
auto {{ vlan.name }}
iface {{ vlan.name }}
{% for vrf in inside_vrfs %}
auto {{ vrf.name }}
iface {{ vrf.name }}
vrf-table auto
{% endfor %}
# Interfaces.
{% for vlan in bridge_vlans %}
{% set prefixes = query('netbox.netbox.nb_lookup', 'prefixes', api_filter='vlan_id='~vlan.id, raw_data=true)
| sort(attribute='family.value') | map(attribute='prefix') %}
auto {{ bridge.name }}.{{ vlan.vid }}
iface {{ bridge.name }}.{{ vlan.vid }}
vrf {% if vlan.role.slug == 'outside' %}outside{% else %}{{ vlan.name }}{% endif +%}
mtu 9216
{% if peer is defined %}
{% set my_index = inventory_hostname.split('-')[1]|int %}
{% for prefix in prefixes %}
address {{ prefix | ipaddr(1 + my_index) }}
{% endfor %}
{% if prefixes %}
address-virtual 00:00:5e:00:01:01 {{ prefixes | ipaddr(1) | join(' ') }}
{% endif %}
{% else %}
{% for prefix in prefixes %}
address {{ prefix }}
{% endfor %}
{% endif %}
{% endfor %}