213 lines
7.4 KiB
Python
213 lines
7.4 KiB
Python
from pathlib import Path
|
|
import copy
|
|
|
|
from flask import Blueprint, request, redirect, flash
|
|
from auth import require_level
|
|
from config_utils import load_config, record_group, diff_fields, verify_config_hash
|
|
import sanitize
|
|
import mod_validation as validate
|
|
|
|
_PAGE = Path(__file__).parent.name
|
|
|
|
bp = Blueprint(_PAGE, __name__)
|
|
|
|
_VALID_PROTOS_STR = ', '.join(sorted(validate.VALID_PROTOCOLS))
|
|
|
|
|
|
def _row_index():
|
|
try:
|
|
return int(request.form.get('row_index', ''))
|
|
except (ValueError, TypeError):
|
|
return None
|
|
|
|
|
|
def _hash_ok():
|
|
if not verify_config_hash(request.form.get('config_hash', '')):
|
|
flash('Configuration was modified by another session. Please refresh and try again.', 'error')
|
|
return False
|
|
return True
|
|
|
|
|
|
def _parse_entry():
|
|
description = sanitize.text(request.form.get('description', ''))
|
|
protocol = sanitize.filtervalue(request.form.get('protocol', ''), validate.VALID_PROTOCOLS)
|
|
dest_port_raw = request.form.get('dest_port', '').strip()
|
|
nat_ip_raw = request.form.get('nat_ip', '').strip()
|
|
nat_port_raw = request.form.get('nat_port', '').strip()
|
|
|
|
if not protocol:
|
|
flash(f'The configuration has not been saved because the protocol is invalid. '
|
|
f'Accepted values: {_VALID_PROTOS_STR}.', 'error')
|
|
return None, True
|
|
|
|
if not dest_port_raw:
|
|
flash('The configuration has not been saved because the external port is required.', 'error')
|
|
return None, True
|
|
dest_port = validate.port(dest_port_raw)
|
|
if not dest_port:
|
|
flash(f'The configuration has not been saved because "{dest_port_raw}" is not a valid port number (1-65535).', 'error')
|
|
return None, True
|
|
|
|
if not nat_ip_raw:
|
|
flash('The configuration has not been saved because the NAT IP address is required.', 'error')
|
|
return None, True
|
|
nat_ip = validate.ip(nat_ip_raw)
|
|
if not nat_ip:
|
|
flash(f'The configuration has not been saved because "{nat_ip_raw}" is not a valid IP address.', 'error')
|
|
return None, True
|
|
|
|
if not nat_port_raw:
|
|
flash('The configuration has not been saved because the NAT port is required.', 'error')
|
|
return None, True
|
|
nat_port = validate.port(nat_port_raw)
|
|
if not nat_port:
|
|
flash(f'The configuration has not been saved because "{nat_port_raw}" is not a valid port number (1-65535).', 'error')
|
|
return None, True
|
|
|
|
return {
|
|
'description': description,
|
|
'protocol': protocol,
|
|
'dest_port': dest_port,
|
|
'nat_ip': nat_ip,
|
|
'nat_port': nat_port,
|
|
'enabled': True,
|
|
}, None
|
|
|
|
|
|
@bp.route('/action/portforwarding/addrule_add', methods=['POST'])
|
|
@require_level('administrator')
|
|
def addrule_add():
|
|
entry, err = _parse_entry()
|
|
if err:
|
|
return redirect(f'/{_PAGE}')
|
|
if not _hash_ok():
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
cfg = load_config()
|
|
err = validate.check_portfwd_restricted_vlan(entry['nat_ip'], cfg.get('vlans', []))
|
|
if err:
|
|
flash(err, 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
cfg.setdefault('port_forwarding', []).append(entry)
|
|
for desc in validate.disable_portfwd_on_restricted_vlans(cfg):
|
|
flash(f"Port forwarding rule '{desc}' was disabled because its destination is on a restricted VLAN.", 'info')
|
|
errors = validate.validate_config(cfg)
|
|
if errors:
|
|
for msg in errors:
|
|
flash(msg, 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
dest_port = entry.get('dest_port', '')
|
|
changes = diff_fields(None, entry)
|
|
flash(record_group(cfg, 'port_forwarding', 'dest_port', dest_port, changes, 'core apply'), 'success')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
|
|
@bp.route('/action/portforwarding/rules_toggle', methods=['POST'])
|
|
@require_level('administrator')
|
|
def rules_toggle():
|
|
idx = _row_index()
|
|
if idx is None:
|
|
flash('Invalid request.', 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
if not _hash_ok():
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
cfg = load_config()
|
|
items = cfg.get('port_forwarding', [])
|
|
if idx < 0 or idx >= len(items):
|
|
flash('Entry not found.', 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
old_enabled = items[idx].get('enabled', True)
|
|
new_enabled = not old_enabled
|
|
if new_enabled:
|
|
err = validate.check_portfwd_restricted_vlan(items[idx].get('nat_ip', ''), cfg.get('vlans', []))
|
|
if err:
|
|
flash(err, 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
before = copy.deepcopy(items[idx])
|
|
items[idx]['enabled'] = new_enabled
|
|
for desc in validate.disable_portfwd_on_restricted_vlans(cfg):
|
|
flash(f"Port forwarding rule '{desc}' was disabled because its destination is on a restricted VLAN.", 'info')
|
|
errors = validate.validate_config(cfg)
|
|
if errors:
|
|
for msg in errors:
|
|
flash(msg, 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
dest_port = items[idx].get('dest_port', '')
|
|
changes = diff_fields(before, items[idx])
|
|
flash(record_group(cfg, 'port_forwarding', 'dest_port', dest_port, changes, 'core apply'), 'success')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
|
|
@bp.route('/action/portforwarding/rules_edit', methods=['POST'])
|
|
@require_level('administrator')
|
|
def rules_edit():
|
|
idx = _row_index()
|
|
if idx is None:
|
|
flash('Invalid request.', 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
entry, err = _parse_entry()
|
|
if err:
|
|
return redirect(f'/{_PAGE}')
|
|
if not _hash_ok():
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
cfg = load_config()
|
|
items = cfg.get('port_forwarding', [])
|
|
if idx < 0 or idx >= len(items):
|
|
flash('Entry not found.', 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
if request.form.get('enabled') == 'on':
|
|
err = validate.check_portfwd_restricted_vlan(entry['nat_ip'], cfg.get('vlans', []))
|
|
if err:
|
|
flash(err, 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
before = copy.deepcopy(items[idx])
|
|
items[idx] = entry
|
|
items[idx]['enabled'] = request.form.get('enabled') == 'on'
|
|
for desc in validate.disable_portfwd_on_restricted_vlans(cfg):
|
|
flash(f"Port forwarding rule '{desc}' was disabled because its destination is on a restricted VLAN.", 'info')
|
|
errors = validate.validate_config(cfg)
|
|
if errors:
|
|
for msg in errors:
|
|
flash(msg, 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
dest_port = items[idx].get('dest_port', '')
|
|
changes = diff_fields(before, items[idx])
|
|
flash(record_group(cfg, 'port_forwarding', 'dest_port', dest_port, changes, 'core apply'), 'success')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
|
|
@bp.route('/action/portforwarding/rules_delete', methods=['POST'])
|
|
@require_level('administrator')
|
|
def rules_delete():
|
|
idx = _row_index()
|
|
if idx is None:
|
|
flash('Invalid request.', 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
if not _hash_ok():
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
cfg = load_config()
|
|
items = cfg.get('port_forwarding', [])
|
|
if idx < 0 or idx >= len(items):
|
|
flash('Entry not found.', 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
removed = items.pop(idx)
|
|
errors = validate.validate_config(cfg)
|
|
if errors:
|
|
for msg in errors:
|
|
flash(msg, 'error')
|
|
return redirect(f'/{_PAGE}')
|
|
|
|
dest_port = removed.get('dest_port', '')
|
|
changes = diff_fields(removed, None)
|
|
flash(record_group(cfg, 'port_forwarding', 'dest_port', dest_port, changes, 'core apply'), 'success')
|
|
return redirect(f'/{_PAGE}')
|