nftables: Use sets for iBGP peer IPs

  Remove Python dictionaries holding route reflector IPs in favor of sets which
  as of now are static.  As a re-design of BGP session configuration is planned
  already the contents of the »ibgp-peers« set will be generated in the future.
  eBGP sessions will probably be entered as rules into the »bgp« chain as well.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>

nftables/nftables.conf.tmpl

@@ -7,17 +7,19 @@
 {%- set admin_access = salt['pillar.get']('firewall:admin_access') %}
 {%- set ssh = salt['pillar.get']("firewall:ssh") %}
 {%- set services = salt['pillar.get']('nodes:' ~ grains['id'] ~ ':services', []) %}
-{#- TODO: Get RR IPs from netbox #}
-{%- set bgp = { 4: { '10.132.255.1' : 'cr01.in.ffho.net',
-                     '10.132.255.2' : 'cr02.in.ffho.net',
-                     '10.132.255.3' : 'cr03.in.ffho.net', },
-                6: { '2a03:2260:2342:ffff::1' : 'cr01.in.ffho.net',
-                     '2a03:2260:2342:ffff::2' : 'cr02.in.ffho.net',
-                     '2a03:2260:2342:ffff::3' : 'cr03.in.ffho.net', }} %}
 
 flush ruleset
 
 table ip filter {
+	set ibgp-peers {
+		type ipv4_addr
+		elements = {
+			10.132.255.1,	# cr01.in.ffho.net
+			10.132.255.2,	# cr02.in.ffho.net
+			10.132.255.3,	# cr03.in.ffho.net
+		}
+	}
+
 	chain input {
 		type filter hook input priority 0; policy drop;
 		iifname "lo" counter accept
@@ -50,10 +52,8 @@ table ip filter {
 
 {%- if 'router' in roles %}
 	chain bgp {
-  {%- for ip in bgp[4].keys()|sort %}
-    {%- set comment = bgp[4][ip] %}
-		ip saddr {{ ip }} counter accept comment "{{ comment }}"
-  {%- endfor %}
+		ip saddr @ibgp-peers counter accept comment "iBGP peers"
+		# TODO: Add external BGP peers, if any
 	}
 {%- endif %}
 
@@ -83,6 +83,15 @@ table ip filter {
 }
 
 table ip6 filter {
+	set ibgp-peers {
+		type ipv6_addr
+		elements = {
+			2a03:2260:2342:ffff::1,	# cr01.in.ffho.net
+			2a03:2260:2342:ffff::2,	# cr02.in.ffho.net
+			2a03:2260:2342:ffff::3,	# cr03.in.ffho.net
+		}
+	}
+
 	chain input {
 		type filter hook input priority 0; policy drop;
 		iifname "lo" counter accept
@@ -116,10 +125,8 @@ table ip6 filter {
 
 {%- if 'router' in roles %}
 	chain bgp {
-  {%- for ip in bgp[6].keys()|sort %}
-    {%- set comment = bgp[6][ip] %}
-		ip6 saddr {{ ip }} counter accept comment "{{ comment }}"
-  {%- endfor %}
+		ip6 saddr @ibgp-peers counter accept comment "iBGP peers"
+		# TODO: Add external BGP peers, if any
 	}
 {%- endif %}