ansible/roles/firewall/templates/usr_sbin_update-firewall-outbound.j2

#!/bin/bash

# Update /etc/firewall/outbound_whitelist_ipv*.acl from /etc/firewall/outbound_whitelist.acl

resolve_hosts() {
	local type="$1" out="$2"
	local tmp=$(mktemp "$out.XXXXXX")

	(
		echo "# AUTO-GENERATED FROM outbound_whitelist.acl"
		while read domain; do
			case $domain in
				"#"* | "")  ;;
				*)
					(host -t "$type" "$domain" 2>&1 || true) | sort -n | while read line; do
						case $line in
							*"not found"*)
								echo "$line" >&2
								;;
							*"has address"*)
								ip="${line##* }"
								case $ip in
									13.108.*) ip="13.108.0.0/14" ;;
									*) ip="${ip%.*}.0/24" ;;
								esac
								echo "$ip $domain"
								;;
							*"has IPv6 address"*)
								ip="${line##* }"
								case $ip in
									2607:f8b0:*) ip="2607:f8b0::/32" ;;
									*) ip=$(ipv6calc --addr_to_uncompressed "$ip" | cut -d: -f1-4)::/64 ;;
								esac
								echo "$ip $domain"
								;;
						esac
					done
					;;
			esac
		done < /etc/firewall/outbound_whitelist.acl | sort -n -u
	) > "$tmp"

	if [ $? -ne 0 ]; then
		echo "Error writing to $out" >&2
		rm -f "$tmp"
	elif cmp -s "$tmp" "$out"; then
		rm -f "$tmp"
	else
		echo "--- Differences in $(basename $out): ---"
		echo
		diff -u "$out" "$tmp" | grep -v '^\(+++\|---\)' | grep '^[+-]'
		echo
		mv -f "$tmp" "$out"
	fi
}

load_ipset() {
	local name="$1" family="$2" file="$3"
	local tmp="$name-$$"

	ipset -exist create "$name" hash:net family "$family" counters comment

	ipset create "$tmp" hash:net family "$family" counters comment
	grep -v '^#' "$file" | while read ip name; do
		ipset -exist add "$tmp" "$ip" comment "$name"
	done
	ipset swap "$name" "$tmp"
	ipset destroy "$tmp"
}

resolve_hosts A /etc/firewall/outbound_whitelist_ipv4.acl
resolve_hosts AAAA /etc/firewall/outbound_whitelist_ipv6.acl

load_ipset outbound-whitelist inet /etc/firewall/outbound_whitelist_ipv4.acl
load_ipset outbound-whitelist-ipv6 inet6 /etc/firewall/outbound_whitelist_ipv6.acl