Development

routlin/mod_nftables.py

@@ -417,7 +417,7 @@ def build_nft_config(data, dry_run=False):
 
     L.append("        # Allow each VLAN -> WAN (outbound internet)")
     for vlan in vlans:
-        if vlan.get('restricted_vlan'):
+        if vlan.get('restricted_vlan') in ('q', 'c'):
             continue
         L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{wan}\" accept  # {vlan['name']} -> WAN")
     L.append("")
@@ -425,20 +425,22 @@ def build_nft_config(data, dry_run=False):
     if container_bridges:
         L.append("        # Allow VLAN -> Docker bridge forwarding")
         for vlan in vlans:
-            if vlan.get('restricted_vlan'):
+            if vlan.get('restricted_vlan') in ('q', 'c'):
                 continue
             for bridge in container_bridges:
                 L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{bridge}\" ct state new accept"
                          f"  # {vlan['name']} -> {bridge}")
         L.append("")
 
-    restricted = [v for v in vlans if v.get('restricted_vlan')]
-    if restricted:
-        L.append("        # Block restricted VLANs -> WAN")
-        for vlan in restricted:
-            L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{wan}\" drop  # {vlan['name']} -> WAN (restricted)")
+    quarantined = [v for v in vlans if v.get('restricted_vlan') == 'q']
+    if quarantined:
+        L.append("        # Block quarantined VLANs -> WAN")
+        for vlan in quarantined:
+            L.append(f"        iif \"{validation.derive_interface(vlan, data)}\" oif \"{wan}\" drop  # {vlan['name']} -> WAN (quarantined)")
         L.append("")
 
+    # TODO: captive portal VLANs ('c') - PREROUTING REDIRECT rules for HTTP/HTTPS + dynamic allow-set
+
     L += [
         "        # Allow Docker containers -> WAN (outbound internet access)",
         f"        iif != \"{wan}\" oif \"{wan}\" ct state new accept",