From d667a38553974730a0efffb79d1e3190a801dee4 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 26 Mar 2025 01:15:14 +0100
Subject: [PATCH 1/5] exit: consolidate IPv4 and IPv6 address families

In BGP router configuration for default and inside VRFs.
---
 roles/exit/templates/frr.conf.j2 | 57 ++++++--------------------------
 1 file changed, 10 insertions(+), 47 deletions(-)

diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2
index 8c84271..803e0c6 100644
--- a/roles/exit/templates/frr.conf.j2
+++ b/roles/exit/templates/frr.conf.j2
@@ -37,18 +37,8 @@ router bgp {{ asn.asn }}
   neighbor {{ iface }} bfd 3 150 150
 {% endfor %}
 
-  address-family ipv4 unicast
-    redistribute connected route-map loopback
-
-    neighbor fabric soft-reconfiguration inbound
-    neighbor fabric route-map fabric->default in
-    neighbor fabric route-map default->fabric out
-
-    import vrf outside
-    import vrf route-map default-import
-  exit-address-family
-
-  address-family ipv6 unicast
+{% for family in ['ipv4', 'ipv6'] %}
+  address-family {{ family }} unicast
     redistribute connected route-map loopback
 
     neighbor fabric activate
@@ -60,6 +50,7 @@ router bgp {{ asn.asn }}
     import vrf route-map default-import
   exit-address-family
 
+{% endfor %}
   address-family l2vpn evpn
     advertise-all-vni
     advertise-default-gw
@@ -144,27 +135,8 @@ router bgp {{ asn.asn }} vrf inside
   neighbor {{ iface }}.2 bfd 3 150 150
 {% endfor %}
 
-  address-family ipv4 unicast
-    neighbor peerlink.2 soft-reconfiguration inbound
-    neighbor peerlink.2 route-map peer.2->me in
-    neighbor peerlink.2 route-map me->peer.2 out
-
-    neighbor firewall allowas-in 1
-    neighbor firewall soft-reconfiguration inbound
-    neighbor firewall route-map inside->firewall out
-{% for iface in ifaces_firewall %}
-    neighbor {{ iface }}.2 route-map firewall-{{ loop.index }}->inside in
-{% endfor %}
-
-    redistribute connected route-map loopback-inside
-{% for vrf in inside_vrfs %}
-    import vrf {{ vrf }}
-{% endfor %}
-    import vrf default
-    import vrf route-map inside-import
-  exit-address-family
-
-  address-family ipv6 unicast
+{% for family in ['ipv4', 'ipv6'] %}
+  address-family {{ family }} unicast
     neighbor peerlink.2 activate
     neighbor peerlink.2 soft-reconfiguration inbound
     neighbor peerlink.2 route-map peer.2->me in
@@ -186,25 +158,15 @@ router bgp {{ asn.asn }} vrf inside
     import vrf route-map inside-import
   exit-address-family
 
+{% endfor %}
+
 
 {% for vrf in vrfs.values() | selectattr('name', 'in', inside_vrfs) %}
 router bgp {{ asn.asn }} vrf {{ vrf.name }}
   bgp bestpath as-path multipath-relax
 
-  address-family ipv4 unicast
-    redistribute connected
-    import vrf inside
-{% if  vrf.custom_fields.imports %}
-{% for import in vrf.custom_fields.imports %}
-    import vrf {{ import.name }}
-{% endfor %}
-    import vrf route-map {{ vrf.name }}-import
-{% else %}
-    import vrf route-map office-import
-{% endif %}
-  exit-address-family
-
-  address-family ipv6 unicast
+{% for family in ['ipv4', 'ipv6'] %}
+  address-family {{ family }} unicast
     redistribute connected
     import vrf inside
 {% if vrf.custom_fields.imports %}
@@ -218,6 +180,7 @@ router bgp {{ asn.asn }} vrf {{ vrf.name }}
   exit-address-family
 
 {% endfor %}
+{% endfor %}
 
 # Prefix lists.
 ip prefix-list default permit 0.0.0.0/0

From 8a0113ea49a5080bd6d45fe5bf064f5edef49704 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 26 Mar 2025 01:33:33 +0100
Subject: [PATCH 2/5] leaf: consolidate IPv4 and IPv6 address families for BGP

Same applies to spine.
---
 roles/leaf/templates/frr.conf.j2 | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/roles/leaf/templates/frr.conf.j2 b/roles/leaf/templates/frr.conf.j2
index 2510328..a30748b 100644
--- a/roles/leaf/templates/frr.conf.j2
+++ b/roles/leaf/templates/frr.conf.j2
@@ -41,7 +41,8 @@ router bgp {{ asn.asn }}
 {% endfor %}
 
 {% endfor %}
-  address-family ipv4 unicast
+{% for family in ['ipv4', 'ipv6'] %}
+  address-family {{ family }} unicast
     redistribute connected route-map loopbacks
     neighbor fabric activate
 {% for tenant in my_tenants %}
@@ -51,16 +52,7 @@ router bgp {{ asn.asn }}
 {% endfor %}
   exit-address-family
 
-  address-family ipv6 unicast
-    redistribute connected route-map loopbacks
-    neighbor fabric activate
-{% for tenant in my_tenants %}
-    neighbor dc-{{ tenant }} activate
-    neighbor dc-{{ tenant }} route-map dc-{{ tenant }}->default in
-    neighbor dc-{{ tenant }} route-map default->dc out
 {% endfor %}
-  exit-address-family
-
   address-family l2vpn evpn
     neighbor fabric activate
 {% for iface in ifaces_evpn|default([]) %}

From cafa938da3eb781cb91cbcf406afea4bab0a1f70 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 26 Mar 2025 01:46:28 +0100
Subject: [PATCH 3/5] firewall: consolidate IPv4 and IPv6 address families for
 BGP

---
 roles/exit/templates/frr.conf.j2     |  2 ++
 roles/firewall/templates/frr.conf.j2 | 22 ++++++----------------
 2 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/roles/exit/templates/frr.conf.j2 b/roles/exit/templates/frr.conf.j2
index 803e0c6..059a5ff 100644
--- a/roles/exit/templates/frr.conf.j2
+++ b/roles/exit/templates/frr.conf.j2
@@ -77,10 +77,12 @@ router bgp {{ asn.asn }} vrf outside
 {% endfor %}
 
   address-family ipv4 unicast
+    neighbor peerlink.4 activate
     neighbor peerlink.4 soft-reconfiguration inbound
     neighbor peerlink.4 route-map peer.4->me in
     neighbor peerlink.4 route-map me->peer.4 out
 
+    neighbor firewall activate
     neighbor firewall allowas-in 1
     neighbor firewall default-originate
     neighbor firewall soft-reconfiguration inbound
diff --git a/roles/firewall/templates/frr.conf.j2 b/roles/firewall/templates/frr.conf.j2
index 81ae5f3..9937aa8 100644
--- a/roles/firewall/templates/frr.conf.j2
+++ b/roles/firewall/templates/frr.conf.j2
@@ -40,26 +40,14 @@ router bgp {{ asn.asn }}
   neighbor {{ iface.name }}.4 bfd profile fast
 {% endfor %}
 
-  address-family ipv4 unicast
+{% for family in ['ipv4', 'ipv6'] %}
+  address-family {{ family }} unicast
+{% if family == 'ipv4' %}
 {% for network in nat %}
     network {{ network }}
 {% endfor %}
 
-    redistribute connected route-map loopback
-    maximum-paths 16
-
-    neighbor outside soft-reconfiguration inbound
-    neighbor outside route-map outside->default in
-    neighbor outside route-map default->outside out
-
-    neighbor inside allowas-in origin
-    neighbor inside default-originate
-    neighbor inside soft-reconfiguration inbound
-    neighbor inside route-map inside->default in
-    neighbor inside route-map default->inside out
-  exit-address-family
-
-  address-family ipv6 unicast
+{% endif %}
     redistribute connected route-map loopback
     maximum-paths 16
 
@@ -76,6 +64,8 @@ router bgp {{ asn.asn }}
     neighbor inside route-map default->inside out
   exit-address-family
 
+{% endfor %}
+
 # Prefix lists.
 ip prefix-list default permit 0.0.0.0/0
 ipv6 prefix-list default permit ::/0

From f9f71bb33728b5086c62670142d81da0a586ef99 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 26 Mar 2025 10:14:15 +0100
Subject: [PATCH 4/5] =?UTF-8?q?firewall:=20don=E2=80=99t=20import=20or=20a?=
 =?UTF-8?q?dvertise=20subnets=20for=20inside=20networks?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is part two to commit 3b3e759c.
---
 roles/firewall/templates/frr.conf.j2 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/firewall/templates/frr.conf.j2 b/roles/firewall/templates/frr.conf.j2
index 9937aa8..9078004 100644
--- a/roles/firewall/templates/frr.conf.j2
+++ b/roles/firewall/templates/frr.conf.j2
@@ -75,9 +75,9 @@ ip prefix-list fabric permit 10.34.0.0/24 ge 32
 {% for prefix in vrf_prefixes | rejectattr('vrf.name', '==', 'outside')
     | sort(attribute='family.value') %}
 {% if prefix.family.value == 4 %}
-ip prefix-list office permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr('prefix') }}
+ip prefix-list office permit {{ prefix.prefix }}
 {% elif prefix.family.value == 6 %}
-ipv6 prefix-list office permit {{ prefix.prefix }} ge {{ prefix.prefix | ipaddr('prefix') }}
+ipv6 prefix-list office permit {{ prefix.prefix }}
 {% endif %}
 {% endfor %}
 

From d3196a48c2e3e1a1449725ef225174e37b8a0416 Mon Sep 17 00:00:00 2001
From: Timotej Lazar <timotej.lazar@fri.uni-lj.si>
Date: Wed, 26 Mar 2025 10:35:00 +0100
Subject: [PATCH 5/5] firewall: set up resolv.conf

To use IPv6 nameserver addresses.
---
 roles/firewall/tasks/main.yml | 6 ++++++
 templates/resolv.conf.j2      | 4 ++++
 2 files changed, 10 insertions(+)
 create mode 100644 templates/resolv.conf.j2

diff --git a/roles/firewall/tasks/main.yml b/roles/firewall/tasks/main.yml
index df83109..83e748f 100644
--- a/roles/firewall/tasks/main.yml
+++ b/roles/firewall/tasks/main.yml
@@ -51,6 +51,12 @@
     mode: 0644
   notify: enable interfaces
 
+- name: Set up resolv.conf
+  template:
+    dest: /etc/resolv.conf
+    src: resolv.conf.j2
+    mode: 0644
+
 - name: Set up sysctls
   template:
     dest: /etc/sysctl.d/firewall.conf
diff --git a/templates/resolv.conf.j2 b/templates/resolv.conf.j2
new file mode 100644
index 0000000..feadf5d
--- /dev/null
+++ b/templates/resolv.conf.j2
@@ -0,0 +1,4 @@
+search {{ domain }}
+{% for server in dns6 %}
+nameserver {{ server }}
+{% endfor %}