mgrotke/linuxrouter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Development

Browse source
This commit is contained in:
Matthew Grotke 2026-05-27 20:56:30 -04:00
parent d8d1d46fd2
commit eed1d295dc
69 changed files with 3355 additions and 3230 deletions
Download patch file Download diff file Expand all files Collapse all files

0
docker/routlin-dash/app/pages/networklayout/__init__.py Normal file
View file

360
docker/routlin-dash/app/pages/networklayout/action.py Normal file
View file

@ -0,0 +1,360 @@
import copy
import ipaddress
from flask import Blueprint, request, redirect, flash
from auth import require_level
from config_utils import load_config, save_config_with_snapshot, verify_config_hash
import sanitize
import validation as validate
bp = Blueprint('networklayout', __name__)
VIEW = '/view/view_networklayout'
_VLAN_FIELDS = ['name', 'vlan_id', 'is_vpn', 'subnet', 'subnet_mask', 'dnsmasq_log_queries',
'radius_default', 'mdns_reflection', 'use_blocklists']
def _row_index():
try:
return int(request.form.get('row_index', ''))
except (ValueError, TypeError):
return None
def _hash_ok():
if not verify_config_hash(request.form.get('config_hash', '')):
flash('Configuration was modified by another session. Please refresh and try again.', 'error')
return False
return True
@bp.route('/action/networklayout_cardaddvlan_addvlan', methods=['POST'])
@require_level('administrator')
def networklayout_cardaddvlan_addvlan():
name = sanitize.name(request.form.get('name', ''))
vlan_id = sanitize.vlan_id(request.form.get('vlan_id', ''))
is_vpn = 'is_vpn' in request.form
subnet = sanitize.ip(request.form.get('subnet', ''))
subnet_mask = sanitize.subnet_mask(request.form.get('subnet_mask', ''))
radius_default = 'radius_default' in request.form
mdns_reflection = 'mdns_reflection' in request.form
dnsmasq_log_queries = 'dnsmasq_log_queries' in request.form
use_blocklists = sanitize.filterlist(
request.form.getlist('use_blocklists'),
{b.get('name') for b in load_config().get('dns_blocking', {}).get('blocklists', [])},
)
if not name:
flash('Name is required.', 'error')
return redirect(VIEW)
if vlan_id is None:
flash('VLAN ID must be an integer between 1 and 4094.', 'error')
return redirect(VIEW)
if not subnet:
flash('Subnet IP is required.', 'error')
return redirect(VIEW)
if subnet_mask is None:
flash('Invalid subnet prefix (must be 1-30).', 'error')
return redirect(VIEW)
if not _hash_ok():
return redirect(VIEW)
cfg = load_config()
vlans = cfg.setdefault('vlans', [])
if any(v.get('vlan_id') == vlan_id for v in vlans):
flash(f'VLAN ID {vlan_id} is already in use.', 'error')
return redirect(VIEW)
if radius_default and any(v.get('radius_default') for v in vlans):
flash('Only one VLAN can be the RADIUS default.', 'error')
return redirect(VIEW)
entry = {
'name': name,
'vlan_id': vlan_id,
'is_vpn': is_vpn,
'subnet': subnet,
'subnet_mask': subnet_mask,
'dnsmasq_log_queries': dnsmasq_log_queries,
'use_blocklists': use_blocklists,
'radius_default': radius_default,
'mdns_reflection': mdns_reflection,
}
if is_vpn:
entry['peers'] = []
else:
entry['reservations'] = []
vlans.append(entry)
errors = validate.validate_config(cfg)
if errors:
for msg in errors:
flash(msg, 'error')
return redirect(VIEW)
flash(save_config_with_snapshot(
cfg,
path='vlans', key=name, operation='add',
before=None, after={k: entry[k] for k in _VLAN_FIELDS if k in entry},
description=f'Added VLAN: {name} ({subnet}/{subnet_mask})',
), 'success')
return redirect(VIEW)
@bp.route('/action/networklayout_tablevlans_edit', methods=['POST'])
@require_level('administrator')
def networklayout_tablevlans_edit():
idx = _row_index()
if idx is None:
flash('Invalid request.', 'error')
return redirect(VIEW)
name = sanitize.name(request.form.get('name', ''))
vlan_id = sanitize.vlan_id(request.form.get('vlan_id', ''))
subnet = sanitize.ip(request.form.get('subnet', ''))
radius_default = 'radius_default' in request.form
mdns_reflection = 'mdns_reflection' in request.form
dnsmasq_log_queries = 'dnsmasq_log_queries' in request.form
use_blocklists = sanitize.filterlist(
request.form.getlist('use_blocklists'),
{b.get('name') for b in load_config().get('dns_blocking', {}).get('blocklists', [])},
)
identity_ips_raw = [line.strip() for line in request.form.get('server_identity_ips', '').splitlines() if line.strip()]
identity_ips = []
for raw_ip in identity_ips_raw:
clean = sanitize.ip(raw_ip)
if not clean:
flash(f"'{raw_ip}' is not a valid IP address.", 'error')
return redirect(VIEW)
identity_ips.append(clean)
identity_descs = request.form.get('server_identity_descriptions', '').splitlines()
identity_hostnames = request.form.get('server_identity_hostnames', '').splitlines()
subnet_mask_raw = request.form.get('subnet_mask')
if subnet_mask_raw is not None:
subnet_mask = sanitize.subnet_mask(subnet_mask_raw)
if subnet_mask is None:
flash('Invalid subnet prefix (must be 1-30).', 'error')
return redirect(VIEW)
else:
subnet_mask = None
if not name:
flash('Name is required.', 'error')
return redirect(VIEW)
if vlan_id is None:
flash('VLAN ID must be an integer between 1 and 4094.', 'error')
return redirect(VIEW)
if not subnet:
flash('Subnet IP is required.', 'error')
return redirect(VIEW)
if not _hash_ok():
return redirect(VIEW)
cfg = load_config()
vlans = cfg.get('vlans', [])
if idx < 0 or idx >= len(vlans):
flash('VLAN not found.', 'error')
return redirect(VIEW)
existing = vlans[idx]
is_vpn = existing.get('is_vpn', False)
final_mask = subnet_mask if subnet_mask is not None else existing.get('subnet_mask', 24)
if identity_ips:
_vlan_net = ipaddress.IPv4Network(f'{subnet}/{final_mask}', strict=False)
for _ip in identity_ips:
if ipaddress.IPv4Address(_ip) not in _vlan_net:
flash(f"Server identity IP '{_ip}' is not in the VLAN subnet ({subnet}/{final_mask}).", 'error')
return redirect(VIEW)
current_id = existing.get('vlan_id')
if current_id == 1 and vlan_id != 1:
flash('VLAN 1 is the physical interface and cannot change its ID.', 'error')
return redirect(VIEW)
if vlan_id != current_id and any(v.get('vlan_id') == vlan_id for i, v in enumerate(vlans) if i != idx):
flash(f'VLAN ID {vlan_id} is already in use.', 'error')
return redirect(VIEW)
if radius_default and any(i != idx and v.get('radius_default') for i, v in enumerate(vlans)):
flash('Only one VLAN can be the RADIUS default.', 'error')
return redirect(VIEW)
old_identities = existing.get('server_identities', [])
new_identities = []
for i, ip in enumerate(identity_ips):
entry = dict(old_identities[i]) if i < len(old_identities) else {}
entry['ip'] = ip
desc = identity_descs[i].strip() if i < len(identity_descs) else ''
if desc:
entry['description'] = desc
else:
entry.pop('description', None)
hostname_raw = identity_hostnames[i].strip() if i < len(identity_hostnames) else ''
if hostname_raw:
clean_hostname = sanitize.hostname(hostname_raw)
if clean_hostname is None:
flash(f"'{hostname_raw}' is not a valid hostname.", 'error')
return redirect(VIEW)
entry['hostname'] = clean_hostname
else:
entry.pop('hostname', None)
new_identities.append(entry)
gateway_raw = sanitize.ip(request.form.get('gateway', ''))
if gateway_raw and gateway_raw not in identity_ips:
flash(f"Gateway '{gateway_raw}' must match one of the server identity IPs.", 'error')
return redirect(VIEW)
inferred_gw = (min(identity_ips, key=lambda ip: int(ip.split('.')[-1]))
if identity_ips else '')
new_stored_gw = gateway_raw if (gateway_raw and gateway_raw != inferred_gw) else ''
existing_gw = existing.get('dhcp_information', {}).get('explicit_overrides', {}).get('gateway', '')
dns_override = 'dns_server_override' in request.form
dns_ips = []
for _line in request.form.get('dns_server', '').splitlines():
_line = _line.strip()
if not _line:
continue
_clean = sanitize.ip(_line)
if not _clean:
flash(f"'{_line}' is not a valid DNS server IP.", 'error')
return redirect(VIEW)
dns_ips.append(_clean)
if dns_override and not dns_ips:
flash('At least one DNS server IP is required when override is enabled.', 'error')
return redirect(VIEW)
if dns_override and dns_ips:
_vlan_net = ipaddress.IPv4Network(f'{subnet}/{final_mask}', strict=False)
for _ip in dns_ips:
if ipaddress.IPv4Address(_ip) not in _vlan_net:
flash(f"DNS server '{_ip}' is not in the VLAN subnet ({subnet}/{final_mask}).", 'error')
return redirect(VIEW)
new_stored_dns = dns_ips if dns_override else []
_existing_dns = existing.get('dhcp_information', {}).get('explicit_overrides', {}).get('dns_server', [])
existing_dns = _existing_dns if isinstance(_existing_dns, list) else ([_existing_dns] if _existing_dns else [])
ntp_override = 'ntp_server_override' in request.form
ntp_ips = []
for _line in request.form.get('ntp_server', '').splitlines():
_line = _line.strip()
if not _line:
continue
_clean = sanitize.ip(_line)
if not _clean:
flash(f"'{_line}' is not a valid NTP server IP.", 'error')
return redirect(VIEW)
ntp_ips.append(_clean)
if ntp_override and not ntp_ips:
flash('At least one NTP server IP is required when override is enabled.', 'error')
return redirect(VIEW)
if ntp_override and ntp_ips:
_vlan_net = ipaddress.IPv4Network(f'{subnet}/{final_mask}', strict=False)
for _ip in ntp_ips:
if ipaddress.IPv4Address(_ip) not in _vlan_net:
flash(f"NTP server '{_ip}' is not in the VLAN subnet ({subnet}/{final_mask}).", 'error')
return redirect(VIEW)
new_stored_ntp = ntp_ips if ntp_override else []
_existing_ntp = existing.get('dhcp_information', {}).get('explicit_overrides', {}).get('ntp_server', [])
existing_ntp = _existing_ntp if isinstance(_existing_ntp, list) else ([_existing_ntp] if _existing_ntp else [])
_ids_unchanged = (
len(new_identities) == len(old_identities) and
all(
n.get('ip') == o.get('ip') and
n.get('description', '') == o.get('description', '') and
n.get('hostname', '') == o.get('hostname', '')
for n, o in zip(new_identities, old_identities)
)
)
if (name == existing.get('name', '')
and vlan_id == existing.get('vlan_id')
and subnet == existing.get('subnet', '')
and final_mask == existing.get('subnet_mask', 24)
and dnsmasq_log_queries == bool(existing.get('dnsmasq_log_queries', False))
and radius_default == bool(existing.get('radius_default', False))
and mdns_reflection == bool(existing.get('mdns_reflection', False))
and sorted(use_blocklists) == sorted(existing.get('use_blocklists', []))
and _ids_unchanged
and new_stored_gw == existing_gw
and new_stored_dns == existing_dns
and new_stored_ntp == existing_ntp):
flash('No changes were made.', 'info')
return redirect(VIEW)
before = {k: existing.get(k) for k in _VLAN_FIELDS}
existing.update({
'name': name,
'vlan_id': vlan_id,
'is_vpn': is_vpn,
'subnet': subnet,
'subnet_mask': final_mask,
'dnsmasq_log_queries': dnsmasq_log_queries,
'radius_default': radius_default,
'mdns_reflection': mdns_reflection,
'use_blocklists': use_blocklists,
'server_identities': new_identities,
})
dhcp_overrides = existing.setdefault('dhcp_information', {}).setdefault('explicit_overrides', {})
if new_stored_gw:
dhcp_overrides['gateway'] = new_stored_gw
else:
dhcp_overrides.pop('gateway', None)
if new_stored_dns:
dhcp_overrides['dns_server'] = new_stored_dns
else:
dhcp_overrides.pop('dns_server', None)
if new_stored_ntp:
dhcp_overrides['ntp_server'] = new_stored_ntp
else:
dhcp_overrides.pop('ntp_server', None)
if not dhcp_overrides:
existing.get('dhcp_information', {}).pop('explicit_overrides', None)
errors = validate.validate_config(cfg)
if errors:
for msg in errors:
flash(msg, 'error')
return redirect(VIEW)
flash(save_config_with_snapshot(
cfg,
path='vlans', key=name, operation='edit',
before=before, after={k: existing.get(k) for k in _VLAN_FIELDS},
description=f'Edited VLAN: {name}',
), 'success')
return redirect(VIEW)
@bp.route('/action/networklayout_tablevlans_delete', methods=['POST'])
@require_level('administrator')
def networklayout_tablevlans_delete():
idx = _row_index()
if idx is None:
flash('Invalid request.', 'error')
return redirect(VIEW)
if not _hash_ok():
return redirect(VIEW)
cfg = load_config()
vlans = cfg.get('vlans', [])
if idx < 0 or idx >= len(vlans):
flash('VLAN not found.', 'error')
return redirect(VIEW)
removed = vlans.pop(idx)
errors = validate.validate_config(cfg)
if errors:
for msg in errors:
flash(msg, 'error')
return redirect(VIEW)
flash(save_config_with_snapshot(
cfg,
path='vlans', key=removed['name'], operation='delete',
before={k: removed.get(k) for k in _VLAN_FIELDS},
after=None,
description=f'Deleted VLAN: {removed["name"]}',
), 'success')
return redirect(VIEW)

283
docker/routlin-dash/app/pages/networklayout/content.json Normal file
View file

@ -0,0 +1,283 @@
{
"id": "view_networklayout",
"client_requirement": "client_is_viewer+",
"items": [
{
"type": "header_page_title",
"items": [
{
"type": "h1",
"text": "Network Layout"
},
{
"type": "p",
"text": "Network segments managed by systemd-networkd, dnsmasq, nftables, and freeradius."
}
]
},
{
"type": "info_bar",
"variant": "info",
"text": "For a basic flat network with no VLAN segmentation, only use VLAN 1 and delete the others."
},
{
"type": "table",
"datasource": "config:vlans",
"empty_message": "No VLANs configured.",
"columns": [
{
"label": "VLAN ID",
"field": "vlan_id",
"class": "col-mono col-narrow"
},
{
"label": "Name",
"field": "name",
"class": "col-narrow"
},
{
"label": "Interface",
"field": "interface",
"class": "col-mono col-narrow"
},
{
"label": "Subnet",
"field": "subnet",
"class": "col-mono col-narrow"
},
{
"label": "Mask",
"field": "subnet_mask",
"class": "col-mono col-narrow"
},
{
"label": "Self Ident(s)",
"field": "server_identity_ips",
"render": "tag_list"
},
{
"label": "Blocklists",
"field": "use_blocklists",
"class": "col-expand",
"render": "tag_list"
},
{
"label": "Default",
"field": "radius_default",
"class": "col-narrow",
"render": "badge_yes_no",
"render_options": {
"title_true": "RADIUS Default",
"title_false": "Not RADIUS Default"
}
},
{
"label": "mDNS",
"field": "mdns_reflection",
"class": "col-narrow",
"render": "badge_yes_no",
"render_options": {
"title_true": "mDNS Reflection Enabled",
"title_false": "mDNS Reflection Disabled"
}
},
{
"label": "Record",
"field": "dnsmasq_log_queries",
"class": "col-narrow",
"render": "badge_yes_no",
"render_options": {
"title_true": "DNS Queries Recorded",
"title_false": "DNS Queries Not Recorded"
}
}
],
"row_actions": [
{
"client_requirement": "client_is_administrator+",
"action": "/action/networklayout_tablevlans_edit",
"method": "inline_edit",
"text": "Edit",
"class": "btn-ghost btn-sm",
"fields": [
{
"col": "name",
"input_type": "text",
"validate": "dashname"
},
{
"col": "subnet",
"input_type": "text",
"validate": "subnet"
},
{
"col": "subnet_mask",
"input_type": "number",
"min": 1,
"max": 30
},
{
"col": "server_identity_ips",
"input_type": "textarea_pair",
"col_label": "IP Address",
"col_validate": "ip",
"pair_col": "server_identity_descriptions",
"pair_label": "Description (Opt)",
"pair_wide": true,
"pair_col2": "server_identity_hostnames",
"pair_label2": "Hostname (Opt)",
"pair_validate2": "networkname",
"gateway_col": "server_identity_gateway",
"dns_col": "server_identity_dns_server",
"ntp_col": "server_identity_ntp_server"
},
{
"col": "radius_default",
"input_type": "checkbox",
"checkbox_label": "Enabled"
},
{
"col": "mdns_reflection",
"input_type": "checkbox",
"checkbox_label": "Enabled"
},
{
"col": "dnsmasq_log_queries",
"input_type": "checkbox",
"checkbox_label": "Record"
},
{
"col": "use_blocklists",
"input_type": "checkbox_multi",
"options": "%BLOCKLIST_NAME_OPTIONS%"
}
]
},
{
"client_requirement": "client_is_administrator+",
"action": "/action/networklayout_tablevlans_delete",
"method": "post",
"text": "Delete",
"class": "btn-danger btn-sm",
"disable_if": {
"field": "vlan_id",
"value": 1
}
}
]
},
{
"type": "card",
"id": "add-form",
"label": "Add VLAN",
"client_requirement": "client_is_administrator+",
"items": [
{
"type": "form",
"action": "/action/networklayout_cardaddvlan_addvlan",
"method": "post",
"items": [
{
"type": "field_row",
"cols": 4,
"items": [
{
"type": "field",
"label": "VLAN ID",
"name": "vlan_id",
"input_type": "number",
"min": 1,
"max": 4094,
"validate": "vlan_id",
"hint": "Unique integer 1-4094. Sets the 802.1Q tag and interface name."
},
{
"type": "field",
"label": "VLAN Name",
"name": "name",
"input_type": "text",
"validate": "dashname",
"hint": "Lowercase letters, digits, hyphens. E.g. iot"
},
{
"type": "subnet_row",
"subnet_name": "subnet",
"prefix_name": "subnet_mask",
"subnet_placeholder": "e.g. 192.168.x.0",
"prefix_value": "24"
},
{
"type": "field",
"label": "VLAN Type",
"name": "is_vpn",
"input_type": "checkbox",
"checkbox_label": "Is VPN",
"hint": "Check if this VLAN uses a WireGuard interface (e.g. wg0, wg1, etc)."
}
]
},
{
"type": "hr"
},
{
"type": "identity_builder",
"label": "Router Identities on this VLAN:"
},
{
"type": "hr"
},
{
"type": "field",
"label": "Blocklists",
"name": "use_blocklists",
"input_type": "checkbox_group",
"options": "%BLOCKLIST_NAME_OPTIONS%",
"hint": "Note: Selected lists will be merged and de-duplicated prior to use."
},
{
"type": "hr"
},
{
"type": "field",
"label": "RADIUS Default",
"name": "radius_default",
"input_type": "checkbox",
"hint": "Wireless devices without a DHCP reservation will be placed into this VLAN. (Note: wired devices are not placed via RADIUS but rather by layer 3 switch policy.)"
},
{
"type": "field",
"label": "mDNS Reflection",
"name": "mdns_reflection",
"input_type": "checkbox",
"hint": "Reflect mDNS traffic to/from this VLAN via avahi-daemon. Not supported on WireGuard interfaces."
},
{
"type": "field",
"label": "Record DNS Queries",
"name": "dnsmasq_log_queries",
"input_type": "checkbox",
"hint": "Log every DNS query. High volume - enable for debugging only."
},
{
"type": "button_row",
"items": [
{
"type": "button_primary",
"action": "/action/networklayout_cardaddvlan_addvlan",
"method": "post",
"text": "Add VLAN",
"class": "add-vlan-btn",
"disabled": true
},
{
"type": "button_cancel",
"text": "Cancel"
}
]
}
]
}
]
}
]
}