From de05fd236b6fcca9b864b95cbd5b39b4ae1b25e3 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Sat, 9 Nov 2024 19:56:31 +0100
Subject: [PATCH] access: enable DHCP snooping on D-Link switches

Use the ifaces_dhcp custom context property to select interfaces where
we should expect DHCP replies.
---
 roles/access/tasks/main.yml             |  2 +-
 roles/access/templates/config-d-link.j2 | 12 ++++++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/roles/access/tasks/main.yml b/roles/access/tasks/main.yml
index a48f03e..785a8a2 100644
--- a/roles/access/tasks/main.yml
+++ b/roles/access/tasks/main.yml
@@ -19,7 +19,7 @@
     ansible_terminal_stderr_re: [] # some errors are not actually errors
   register: result
   # These lines are not displayed by 'sho ru' and always reported as different, so ignore them.
-  changed_when: result.commands | reject('match', '^(no shutdown|no switchport access vlan|no voice vlan.*|switchport mode access|switchport mode hybrid|interface .*|no enable service web-server https?)$')
+  changed_when: result.commands | reject('match', '^(no shutdown|no switchport access vlan|no voice vlan.*|switchport mode access|switchport mode hybrid|interface .*|no enable service web-server https?|no ip dhcp snooping|no ip dhcp snooping trust)$')
   notify: write config
 
 - name: Run model-specific tasks
diff --git a/roles/access/templates/config-d-link.j2 b/roles/access/templates/config-d-link.j2
index ab2a982..9942cf6 100644
--- a/roles/access/templates/config-d-link.j2
+++ b/roles/access/templates/config-d-link.j2
@@ -51,6 +51,12 @@ interface {{ iface.name }}
 {% set mgmt.gw = iface.custom_fields.gateway.address %}
 {% endif %}
 {% endif %}
+
+{% if iface.name in ifaces_dhcp | default([]) %}
+ ip dhcp snooping trust
+{% else %}
+ no ip dhcp snooping trust
+{% endif %}
 {% endfor %}
 
 {%- if mgmt.ip %}
@@ -83,6 +89,12 @@ sntp server {{ address }}
 
 ntp access-group default nomodify noquery
 
+{% if ifaces_dhcp | default(false) %}
+ip dhcp snooping
+{% else %}
+no ip dhcp snooping
+{% endif %}
+
 {% if mgmt.gw %}
 ip route 0.0.0.0 0.0.0.0 {{ mgmt.gw | ipaddr('address') }} primary
 {% endif %}