Development

2026-06-06 17:14:01 -04:00 · 2026-06-06 17:14:01 -04:00 · 574a45111d
commit 574a45111d
parent e37029a066
8 changed files with 164 additions and 110 deletions
--- a/routlin/mod_nftables.py
+++ b/routlin/mod_nftables.py
@ -417,7 +417,7 @@ def build_nft_config(data, dry_run=False):

    L.append("        # Allow each VLAN -> WAN (outbound internet)")
    for vlan in vlans:
-        if vlan.get('restricted_vlan'):
+        if vlan.get('restricted_vlan') in ('q', 'c'):
            continue
        L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{wan}\" accept  # {vlan['name']} -> WAN")
    L.append("")
@ -425,20 +425,22 @@ def build_nft_config(data, dry_run=False):
    if container_bridges:
        L.append("        # Allow VLAN -> Docker bridge forwarding")
        for vlan in vlans:
-            if vlan.get('restricted_vlan'):
+            if vlan.get('restricted_vlan') in ('q', 'c'):
                continue
            for bridge in container_bridges:
                L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{bridge}\" ct state new accept"
                         f"  # {vlan['name']} -> {bridge}")
        L.append("")

-    restricted = [v for v in vlans if v.get('restricted_vlan')]
-    if restricted:
-        L.append("        # Block restricted VLANs -> WAN")
-        for vlan in restricted:
-            L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{wan}\" drop  # {vlan['name']} -> WAN (restricted)")
+    quarantined = [v for v in vlans if v.get('restricted_vlan') == 'q']
+    if quarantined:
+        L.append("        # Block quarantined VLANs -> WAN")
+        for vlan in quarantined:
+            L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{wan}\" drop  # {vlan['name']} -> WAN (quarantined)")
        L.append("")

+    # TODO: captive portal VLANs ('c') - PREROUTING REDIRECT rules for HTTP/HTTPS + dynamic allow-set
+
    L += [
        "        # Allow Docker containers -> WAN (outbound internet access)",
        f"        iif != \"{wan}\" oif \"{wan}\" ct state new accept",
--- a/routlin/mod_validation.py
+++ b/routlin/mod_validation.py
@ -850,7 +850,7 @@ def validate_config(data):
            try:
                nat_addr = ipaddress.IPv4Address(nat_ip_str)
                for v in _all_vlans:
-                    if not v.get("restricted_vlan"):
+                    if v.get("restricted_vlan") not in ('q', 'c'):
                        continue
                    try:
                        vnet = ipaddress.IPv4Network(f"{v['subnet']}/{v['subnet_mask']}", strict=False)
@ -860,7 +860,7 @@ def validate_config(data):
                        errors.append(
                            f"Port forwarding rule '{desc}' is enabled but its destination "
                            f"({nat_ip_str}) is on restricted VLAN '{v['name']}'. "
-                            f"Disable the rule or remove the restricted_vlan flag."
+                            f"Disable the rule or clear the VLAN restriction setting."
                        )
                        break
            except Exception:
@ -959,7 +959,7 @@ def check_portfwd_restricted_vlan(nat_ip, vlans):
    except Exception:
        return None
    for v in vlans:
-        if not v.get('restricted_vlan'):
+        if v.get('restricted_vlan') not in ('q', 'c'):
            continue
        try:
            net = ipaddress.IPv4Network(f"{v['subnet']}/{v['subnet_mask']}", strict=False)
@ -976,7 +976,7 @@ def disable_portfwd_on_restricted_vlans(data):
    Mutates data in place. Returns list of descriptions of rules that were disabled."""
    restricted_nets = []
    for v in data.get('vlans', []):
-        if v.get('restricted_vlan'):
+        if v.get('restricted_vlan') in ('q', 'c'):
            try:
                restricted_nets.append(ipaddress.IPv4Network(f"{v['subnet']}/{v['subnet_mask']}", strict=False))
            except Exception: