mgrotke/linuxrouter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
linuxrouter/docker/routlin-dash/app/pages/networklayout/action.py
Matthew Grotke 33b639a353 Development
2026-05-29 22:53:20 -04:00

480 lines
20 KiB
Python
Raw Blame History

from pathlib import Path
import copy
import ipaddress
import json
from flask import Blueprint, request, redirect, flash
from auth import require_level
from config_utils import load_config, save_config_with_snapshot, verify_config_hash
import sanitize
import validation as validate
_PAGE = Path(__file__).parent.name
bp = Blueprint(_PAGE, __name__)
_VLAN_FIELDS = ['name', 'vlan_id', 'is_vpn', 'subnet', 'subnet_mask', 'dnsmasq_log_queries',
'radius_default', 'mdns_reflection', 'use_blocklists']
def _row_index():
try:
return int(request.form.get('row_index', ''))
except (ValueError, TypeError):
return None
def _hash_ok():
if not verify_config_hash(request.form.get('config_hash', '')):
flash('Configuration was modified by another session. Please refresh and try again.', 'error')
return False
return True
@bp.route('/action/networklayout/addvlan_add', methods=['POST'])
@require_level('administrator')
def addvlan_add():
name = sanitize.name(request.form.get('name', ''))
vlan_id = sanitize.vlan_id(request.form.get('vlan_id', ''))
is_vpn = 'is_vpn' in request.form
subnet = sanitize.ip(request.form.get('subnet', ''))
subnet_mask = sanitize.subnet_mask(request.form.get('subnet_mask', ''))
radius_default = 'radius_default' in request.form
mdns_reflection = 'mdns_reflection' in request.form
dnsmasq_log_queries = 'dnsmasq_log_queries' in request.form
use_blocklists = sanitize.filterlist(
request.form.getlist('use_blocklists'),
{b.get('name') for b in load_config().get('dns_blocking', {}).get('blocklists', [])},
)
if not name:
flash('Name is required.', 'error')
return redirect(f'/{_PAGE}')
if vlan_id is None:
flash('VLAN ID must be an integer between 1 and 4094.', 'error')
return redirect(f'/{_PAGE}')
if not subnet:
flash('Subnet IP is required.', 'error')
return redirect(f'/{_PAGE}')
if subnet_mask is None:
flash('Invalid subnet prefix (must be 1-30).', 'error')
return redirect(f'/{_PAGE}')
if is_vpn and mdns_reflection:
flash('mDNS reflection is not supported on VPN VLANs.', 'error')
return redirect(f'/{_PAGE}')
_vlan_net = ipaddress.IPv4Network(f'{subnet}/{subnet_mask}', strict=False)
if ipaddress.IPv4Address(subnet) != _vlan_net.network_address:
flash(f"Subnet IP must be a network address (expected {_vlan_net.network_address}).", 'error')
return redirect(f'/{_PAGE}')
if not _hash_ok():
return redirect(f'/{_PAGE}')
server_identities_raw = request.form.get('server_identities', '[]')
try:
raw_identities = json.loads(server_identities_raw)
if not isinstance(raw_identities, list):
raise ValueError
except (ValueError, TypeError):
flash('Invalid identity data.', 'error')
return redirect(f'/{_PAGE}')
new_identities = []
for raw in raw_identities:
ip_clean = sanitize.ip(str(raw.get('ip', '')))
if not ip_clean:
flash('Invalid IP address in identity.', 'error')
return redirect(f'/{_PAGE}')
_addr = ipaddress.IPv4Address(ip_clean)
if _addr not in _vlan_net:
flash(f"Identity IP '{ip_clean}' is not in the VLAN subnet ({subnet}/{subnet_mask}).", 'error')
return redirect(f'/{_PAGE}')
if _addr == _vlan_net.network_address or _addr == _vlan_net.broadcast_address:
flash(f"Identity IP '{ip_clean}' cannot be the network or broadcast address.", 'error')
return redirect(f'/{_PAGE}')
ident = {'ip': ip_clean}
desc = str(raw.get('description', '')).strip()
if desc:
ident['description'] = desc
hostname_raw = str(raw.get('hostname', '')).strip()
if hostname_raw:
clean_hostname = sanitize.hostname(hostname_raw)
if clean_hostname is None:
flash(f"'{hostname_raw}' is not a valid hostname.", 'error')
return redirect(f'/{_PAGE}')
ident['hostname'] = clean_hostname
new_identities.append(ident)
identity_ips = [ident['ip'] for ident in new_identities]
gateway_raw = sanitize.ip(request.form.get('gateway', ''))
if gateway_raw and gateway_raw not in identity_ips:
flash(f"Gateway '{gateway_raw}' must match one of the server identity IPs.", 'error')
return redirect(f'/{_PAGE}')
inferred_gw = (min(identity_ips, key=lambda ip: int(ip.split('.')[-1])) if identity_ips else '')
new_stored_gw = gateway_raw if (gateway_raw and gateway_raw != inferred_gw) else ''
dns_override = 'dns_server_override' in request.form
dns_ips = []
for _line in request.form.get('dns_server', '').splitlines():
_line = _line.strip()
if not _line:
continue
_clean = sanitize.ip(_line)
if not _clean:
flash(f"'{_line}' is not a valid DNS server IP.", 'error')
return redirect(f'/{_PAGE}')
dns_ips.append(_clean)
if dns_override and dns_ips:
for _ip in dns_ips:
if ipaddress.IPv4Address(_ip) not in _vlan_net:
flash(f"DNS server '{_ip}' is not in the VLAN subnet ({subnet}/{subnet_mask}).", 'error')
return redirect(f'/{_PAGE}')
new_stored_dns = dns_ips if dns_override else []
ntp_override = 'ntp_server_override' in request.form
ntp_ips = []
for _line in request.form.get('ntp_server', '').splitlines():
_line = _line.strip()
if not _line:
continue
_clean = sanitize.ip(_line)
if not _clean:
flash(f"'{_line}' is not a valid NTP server IP.", 'error')
return redirect(f'/{_PAGE}')
ntp_ips.append(_clean)
if ntp_override and ntp_ips:
for _ip in ntp_ips:
if ipaddress.IPv4Address(_ip) not in _vlan_net:
flash(f"NTP server '{_ip}' is not in the VLAN subnet ({subnet}/{subnet_mask}).", 'error')
return redirect(f'/{_PAGE}')
new_stored_ntp = ntp_ips if ntp_override else []
dhcp_domain_raw = request.form.get('dhcp_domain', '').strip()
dhcp_domain = sanitize.hostname(dhcp_domain_raw) if dhcp_domain_raw else 'local'
if dhcp_domain_raw and dhcp_domain is None:
flash(f"'{dhcp_domain_raw}' is not a valid domain name.", 'error')
return redirect(f'/{_PAGE}')
cfg = load_config()
vlans = cfg.setdefault('vlans', [])
if any(v.get('vlan_id') == vlan_id for v in vlans):
flash(f'VLAN ID {vlan_id} is already in use.', 'error')
return redirect(f'/{_PAGE}')
if radius_default and any(v.get('radius_default') for v in vlans):
flash('Only one VLAN can be the RADIUS default.', 'error')
return redirect(f'/{_PAGE}')
dhcp_info = {}
if dhcp_domain and dhcp_domain != 'local':
dhcp_info['domain'] = dhcp_domain
dhcp_overrides = {}
if new_stored_gw:
dhcp_overrides['gateway'] = new_stored_gw
if new_stored_dns:
dhcp_overrides['dns_server'] = new_stored_dns
if new_stored_ntp:
dhcp_overrides['ntp_server'] = new_stored_ntp
if dhcp_overrides:
dhcp_info['explicit_overrides'] = dhcp_overrides
entry = {
'name': name,
'vlan_id': vlan_id,
'is_vpn': is_vpn,
'subnet': subnet,
'subnet_mask': subnet_mask,
'dnsmasq_log_queries': dnsmasq_log_queries,
'use_blocklists': use_blocklists,
'radius_default': radius_default,
'mdns_reflection': mdns_reflection,
'server_identities': new_identities,
}
if dhcp_info:
entry['dhcp_information'] = dhcp_info
if is_vpn:
entry['peers'] = []
else:
entry['reservations'] = []
vlans.append(entry)
errors = validate.validate_config(cfg)
if errors:
for msg in errors:
flash(msg, 'error')
return redirect(f'/{_PAGE}')
flash(save_config_with_snapshot(
cfg,
path='vlans', key=name, operation='add',
before=None, after={k: entry[k] for k in _VLAN_FIELDS if k in entry},
description=f'Added VLAN: {name} ({subnet}/{subnet_mask})',
), 'success')
return redirect(f'/{_PAGE}')
@bp.route('/action/networklayout/vlans_edit', methods=['POST'])
@require_level('administrator')
def vlans_edit():
idx = _row_index()
if idx is None:
flash('Invalid request.', 'error')
return redirect(f'/{_PAGE}')
name = sanitize.name(request.form.get('name', ''))
vlan_id = sanitize.vlan_id(request.form.get('vlan_id', ''))
subnet = sanitize.ip(request.form.get('subnet', ''))
radius_default = 'radius_default' in request.form
mdns_reflection = 'mdns_reflection' in request.form
dnsmasq_log_queries = 'dnsmasq_log_queries' in request.form
use_blocklists = sanitize.filterlist(
request.form.getlist('use_blocklists'),
{b.get('name') for b in load_config().get('dns_blocking', {}).get('blocklists', [])},
)
identity_ips_raw = [line.strip() for line in request.form.get('server_identity_ips', '').splitlines() if line.strip()]
identity_ips = []
for raw_ip in identity_ips_raw:
clean = sanitize.ip(raw_ip)
if not clean:
flash(f"'{raw_ip}' is not a valid IP address.", 'error')
return redirect(f'/{_PAGE}')
identity_ips.append(clean)
identity_descs = request.form.get('server_identity_descriptions', '').splitlines()
identity_hostnames = request.form.get('server_identity_hostnames', '').splitlines()
subnet_mask_raw = request.form.get('subnet_mask')
if subnet_mask_raw is not None:
subnet_mask = sanitize.subnet_mask(subnet_mask_raw)
if subnet_mask is None:
flash('Invalid subnet prefix (must be 1-30).', 'error')
return redirect(f'/{_PAGE}')
else:
subnet_mask = None
if not name:
flash('Name is required.', 'error')
return redirect(f'/{_PAGE}')
if vlan_id is None:
flash('VLAN ID must be an integer between 1 and 4094.', 'error')
return redirect(f'/{_PAGE}')
if not subnet:
flash('Subnet IP is required.', 'error')
return redirect(f'/{_PAGE}')
if not _hash_ok():
return redirect(f'/{_PAGE}')
cfg = load_config()
vlans = cfg.get('vlans', [])
if idx < 0 or idx >= len(vlans):
flash('VLAN not found.', 'error')
return redirect(f'/{_PAGE}')
existing = vlans[idx]
is_vpn = existing.get('is_vpn', False)
final_mask = subnet_mask if subnet_mask is not None else existing.get('subnet_mask', 24)
if is_vpn and mdns_reflection:
flash('mDNS reflection is not supported on VPN VLANs.', 'error')
return redirect(f'/{_PAGE}')
if identity_ips:
_vlan_net = ipaddress.IPv4Network(f'{subnet}/{final_mask}', strict=False)
for _ip in identity_ips:
_addr = ipaddress.IPv4Address(_ip)
if _addr not in _vlan_net:
flash(f"Server identity IP '{_ip}' is not in the VLAN subnet ({subnet}/{final_mask}).", 'error')
return redirect(f'/{_PAGE}')
if _addr == _vlan_net.network_address or _addr == _vlan_net.broadcast_address:
flash(f"Server identity IP '{_ip}' cannot be the network or broadcast address.", 'error')
return redirect(f'/{_PAGE}')
current_id = existing.get('vlan_id')
if current_id == 1 and vlan_id != 1:
flash('VLAN 1 is the physical interface and cannot change its ID.', 'error')
return redirect(f'/{_PAGE}')
if vlan_id != current_id and any(v.get('vlan_id') == vlan_id for i, v in enumerate(vlans) if i != idx):
flash(f'VLAN ID {vlan_id} is already in use.', 'error')
return redirect(f'/{_PAGE}')
if radius_default and any(i != idx and v.get('radius_default') for i, v in enumerate(vlans)):
flash('Only one VLAN can be the RADIUS default.', 'error')
return redirect(f'/{_PAGE}')
old_identities = existing.get('server_identities', [])
new_identities = []
for i, ip in enumerate(identity_ips):
entry = dict(old_identities[i]) if i < len(old_identities) else {}
entry['ip'] = ip
desc = identity_descs[i].strip() if i < len(identity_descs) else ''
if desc:
entry['description'] = desc
else:
entry.pop('description', None)
hostname_raw = identity_hostnames[i].strip() if i < len(identity_hostnames) else ''
if hostname_raw:
clean_hostname = sanitize.hostname(hostname_raw)
if clean_hostname is None:
flash(f"'{hostname_raw}' is not a valid hostname.", 'error')
return redirect(f'/{_PAGE}')
entry['hostname'] = clean_hostname
else:
entry.pop('hostname', None)
new_identities.append(entry)
gateway_raw = sanitize.ip(request.form.get('gateway', ''))
if gateway_raw and gateway_raw not in identity_ips:
flash(f"Gateway '{gateway_raw}' must match one of the server identity IPs.", 'error')
return redirect(f'/{_PAGE}')
inferred_gw = (min(identity_ips, key=lambda ip: int(ip.split('.')[-1]))
if identity_ips else '')
new_stored_gw = gateway_raw if (gateway_raw and gateway_raw != inferred_gw) else ''
existing_gw = existing.get('dhcp_information', {}).get('explicit_overrides', {}).get('gateway', '')
dns_override = 'dns_server_override' in request.form
dns_ips = []
for _line in request.form.get('dns_server', '').splitlines():
_line = _line.strip()
if not _line:
continue
_clean = sanitize.ip(_line)
if not _clean:
flash(f"'{_line}' is not a valid DNS server IP.", 'error')
return redirect(f'/{_PAGE}')
dns_ips.append(_clean)
if dns_override and not dns_ips:
flash('At least one DNS server IP is required when override is enabled.', 'error')
return redirect(f'/{_PAGE}')
if dns_override and dns_ips:
_vlan_net = ipaddress.IPv4Network(f'{subnet}/{final_mask}', strict=False)
for _ip in dns_ips:
if ipaddress.IPv4Address(_ip) not in _vlan_net:
flash(f"DNS server '{_ip}' is not in the VLAN subnet ({subnet}/{final_mask}).", 'error')
return redirect(f'/{_PAGE}')
new_stored_dns = dns_ips if dns_override else []
_existing_dns = existing.get('dhcp_information', {}).get('explicit_overrides', {}).get('dns_server', [])
existing_dns = _existing_dns if isinstance(_existing_dns, list) else ([_existing_dns] if _existing_dns else [])
ntp_override = 'ntp_server_override' in request.form
ntp_ips = []
for _line in request.form.get('ntp_server', '').splitlines():
_line = _line.strip()
if not _line:
continue
_clean = sanitize.ip(_line)
if not _clean:
flash(f"'{_line}' is not a valid NTP server IP.", 'error')
return redirect(f'/{_PAGE}')
ntp_ips.append(_clean)
if ntp_override and not ntp_ips:
flash('At least one NTP server IP is required when override is enabled.', 'error')
return redirect(f'/{_PAGE}')
if ntp_override and ntp_ips:
_vlan_net = ipaddress.IPv4Network(f'{subnet}/{final_mask}', strict=False)
for _ip in ntp_ips:
if ipaddress.IPv4Address(_ip) not in _vlan_net:
flash(f"NTP server '{_ip}' is not in the VLAN subnet ({subnet}/{final_mask}).", 'error')
return redirect(f'/{_PAGE}')
new_stored_ntp = ntp_ips if ntp_override else []
_existing_ntp = existing.get('dhcp_information', {}).get('explicit_overrides', {}).get('ntp_server', [])
existing_ntp = _existing_ntp if isinstance(_existing_ntp, list) else ([_existing_ntp] if _existing_ntp else [])
_ids_unchanged = (
len(new_identities) == len(old_identities) and
all(
n.get('ip') == o.get('ip') and
n.get('description', '') == o.get('description', '') and
n.get('hostname', '') == o.get('hostname', '')
for n, o in zip(new_identities, old_identities)
)
)
if (name == existing.get('name', '')
and vlan_id == existing.get('vlan_id')
and subnet == existing.get('subnet', '')
and final_mask == existing.get('subnet_mask', 24)
and dnsmasq_log_queries == bool(existing.get('dnsmasq_log_queries', False))
and radius_default == bool(existing.get('radius_default', False))
and mdns_reflection == bool(existing.get('mdns_reflection', False))
and sorted(use_blocklists) == sorted(existing.get('use_blocklists', []))
and _ids_unchanged
and new_stored_gw == existing_gw
and new_stored_dns == existing_dns
and new_stored_ntp == existing_ntp):
flash('No changes were made.', 'info')
return redirect(f'/{_PAGE}')
before = {k: existing.get(k) for k in _VLAN_FIELDS}
existing.update({
'name': name,
'vlan_id': vlan_id,
'is_vpn': is_vpn,
'subnet': subnet,
'subnet_mask': final_mask,
'dnsmasq_log_queries': dnsmasq_log_queries,
'radius_default': radius_default,
'mdns_reflection': mdns_reflection,
'use_blocklists': use_blocklists,
'server_identities': new_identities,
})
dhcp_overrides = existing.setdefault('dhcp_information', {}).setdefault('explicit_overrides', {})
if new_stored_gw:
dhcp_overrides['gateway'] = new_stored_gw
else:
dhcp_overrides.pop('gateway', None)
if new_stored_dns:
dhcp_overrides['dns_server'] = new_stored_dns
else:
dhcp_overrides.pop('dns_server', None)
if new_stored_ntp:
dhcp_overrides['ntp_server'] = new_stored_ntp
else:
dhcp_overrides.pop('ntp_server', None)
if not dhcp_overrides:
existing.get('dhcp_information', {}).pop('explicit_overrides', None)
errors = validate.validate_config(cfg)
if errors:
for msg in errors:
flash(msg, 'error')
return redirect(f'/{_PAGE}')
flash(save_config_with_snapshot(
cfg,
path='vlans', key=name, operation='edit',
before=before, after={k: existing.get(k) for k in _VLAN_FIELDS},
description=f'Edited VLAN: {name}',
), 'success')
return redirect(f'/{_PAGE}')
@bp.route('/action/networklayout/vlans_delete', methods=['POST'])
@require_level('administrator')
def vlans_delete():
idx = _row_index()
if idx is None:
flash('Invalid request.', 'error')
return redirect(f'/{_PAGE}')
if not _hash_ok():
return redirect(f'/{_PAGE}')
cfg = load_config()
vlans = cfg.get('vlans', [])
if idx < 0 or idx >= len(vlans):
flash('VLAN not found.', 'error')
return redirect(f'/{_PAGE}')
removed = vlans.pop(idx)
errors = validate.validate_config(cfg)
if errors:
for msg in errors:
flash(msg, 'error')
return redirect(f'/{_PAGE}')
flash(save_config_with_snapshot(
cfg,
path='vlans', key=removed['name'], operation='delete',
before={k: removed.get(k) for k in _VLAN_FIELDS},
after=None,
description=f'Deleted VLAN: {removed["name"]}',
), 'success')
return redirect(f'/{_PAGE}')
Reference in a new issue View git blame Copy permalink