From eab94344814fa67c4dc728ed38c34ef4af1cc033 Mon Sep 17 00:00:00 2001
From: Karl Grube <karl@hudlergrube.com>
Date: Sun, 29 Oct 2023 17:08:46 +0100
Subject: [PATCH] nat router support

---
 defaults/main.yml     |  3 +++
 templates/frr_conf.j2 | 31 ++++++++++++++++++++++++++++---
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 0c2fb58..f2ce726 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -3,6 +3,9 @@
 allow_default_ipv4: False
 allow_default_ipv6: False
 
+firewall4s: []
+nat_neighbors: []
+
 dc_ranges: []
 dc4_ranges: []
 
diff --git a/templates/frr_conf.j2 b/templates/frr_conf.j2
index 86162f3..ef3c4d6 100644
--- a/templates/frr_conf.j2
+++ b/templates/frr_conf.j2
@@ -15,9 +15,24 @@ router bgp {{bgp_asn}}
 {% endfor %}
  neighbor outside peer-group
  neighbor outside remote-as external
+ neighbor nat peer-group
+ neighbor nat remote-as internal
+ neighbor nat bfd
+ neighbor nat capability extended-nexthop
+ neighbor firewall4s peer-group
+ neighbor firewall4s remote-as internal
+ neighbor firewall4s bfd
+ neighbor firewall4s capability extended-nexthop
  neighbor firewalls peer-group
  neighbor firewalls remote-as internal
  neighbor firewalls bfd
+{% for neighbor in firewall4s %}
+{%   if (neighbor|ansible.utils.ipv6) or (neighbor|ansible.utils.ipv4) %}
+ neighbor {{ neighbor }} peer-group firewall4s
+{%   else %}
+ neighbor {{ neighbor }} interface peer-group firewall4s
+{%   endif %}
+{% endfor %}
 {% for neighbor in firewalls %}
 {%   if (neighbor|ansible.utils.ipv6) or (neighbor|ansible.utils.ipv4) %}
  neighbor {{ neighbor }} peer-group firewalls
@@ -25,12 +40,22 @@ router bgp {{bgp_asn}}
  neighbor {{ neighbor }} interface peer-group firewalls
 {%   endif %}
 {% endfor %}
+{% for neighbor in nat_neighbors %}
+{%   if (neighbor|ansible.utils.ipv6) or (neighbor|ansible.utils.ipv4) %}
+ neighbor {{ neighbor }} peer-group nat
+{%   else %}
+ neighbor {{ neighbor }} interface peer-group nat
+{%   endif %}
+{% endfor %}
 !
  address-family ipv4 unicast
   network 0.0.0.0/0
-  neighbor firewalls activate
-  neighbor firewalls prefix-list all out
-  neighbor firewalls prefix-list my-networks in
+  neighbor firewall4s activate
+  neighbor firewall4s prefix-list all out
+  neighbor firewall4s prefix-list my-networks in
+  neighbor nat activate
+  neighbor nat prefix-list all out
+  neighbor nat prefix-list my-networks in
 {% for neighbor in internet_connections %}
 {%   for ip in neighbor.peer_ips %}
 {%     if ip|ansible.utils.ipv4 %}
-- 
GitLab