Development

routlin/mod_validation.py

@@ -952,6 +952,25 @@ def validate_config(data):
     return errors
 
 
+def check_portfwd_restricted_vlan(nat_ip, vlans):
+    """Return an error string if nat_ip falls within a restricted VLAN's subnet, else None."""
+    try:
+        addr = ipaddress.IPv4Address(nat_ip)
+    except Exception:
+        return None
+    for v in vlans:
+        if not v.get('restricted_vlan'):
+            continue
+        try:
+            net = ipaddress.IPv4Network(f"{v['subnet']}/{v['subnet_mask']}", strict=False)
+        except Exception:
+            continue
+        if addr in net:
+            return (f"NAT IP '{nat_ip}' is on restricted VLAN '{v['name']}'. "
+                    f"Port forwarding to restricted VLANs is not permitted.")
+    return None
+
+
 def disable_portfwd_on_restricted_vlans(data):
     """Auto-disable enabled port forwarding rules whose nat_ip falls within a restricted VLAN's subnet.
     Mutates data in place. Returns list of descriptions of rules that were disabled."""