from pathlib import Path import copy import ipaddress import json from flask import Blueprint, request, redirect, flash from auth import require_level from config_utils import load_config, save_config_with_snapshot, verify_config_hash import sanitize import validation as validate _PAGE = Path(__file__).parent.name bp = Blueprint(_PAGE, __name__) _VLAN_FIELDS = ['name', 'vlan_id', 'is_vpn', 'subnet', 'subnet_mask', 'dnsmasq_log_queries', 'radius_default', 'mdns_reflection', 'use_blocklists'] def _row_index(): try: return int(request.form.get('row_index', '')) except (ValueError, TypeError): return None def _hash_ok(): if not verify_config_hash(request.form.get('config_hash', '')): flash('Configuration was modified by another session. Please refresh and try again.', 'error') return False return True @bp.route('/action/networklayout/addvlan_add', methods=['POST']) @require_level('administrator') def addvlan_add(): name = sanitize.name(request.form.get('name', '')) vlan_id = sanitize.vlan_id(request.form.get('vlan_id', '')) is_vpn = 'is_vpn' in request.form subnet = sanitize.ip(request.form.get('subnet', '')) subnet_mask = sanitize.subnet_mask(request.form.get('subnet_mask', '')) radius_default = 'radius_default' in request.form mdns_reflection = 'mdns_reflection' in request.form dnsmasq_log_queries = 'dnsmasq_log_queries' in request.form use_blocklists = sanitize.filterlist( request.form.getlist('use_blocklists'), {b.get('name') for b in load_config().get('dns_blocking', {}).get('blocklists', [])}, ) if not name: flash('Name is required.', 'error') return redirect(f'/{_PAGE}') if vlan_id is None: flash('VLAN ID must be an integer between 1 and 4094.', 'error') return redirect(f'/{_PAGE}') if not subnet: flash('Subnet IP is required.', 'error') return redirect(f'/{_PAGE}') if subnet_mask is None: flash('Invalid subnet prefix (must be 1-30).', 'error') return redirect(f'/{_PAGE}') if not _hash_ok(): return redirect(f'/{_PAGE}') server_identities_raw = request.form.get('server_identities', '[]') try: raw_identities = json.loads(server_identities_raw) if not isinstance(raw_identities, list): raise ValueError except (ValueError, TypeError): flash('Invalid identity data.', 'error') return redirect(f'/{_PAGE}') new_identities = [] if raw_identities: _vlan_net = ipaddress.IPv4Network(f'{subnet}/{subnet_mask}', strict=False) for raw in raw_identities: ip_clean = sanitize.ip(str(raw.get('ip', ''))) if not ip_clean: flash('Invalid IP address in identity.', 'error') return redirect(f'/{_PAGE}') if ipaddress.IPv4Address(ip_clean) not in _vlan_net: flash(f"Identity IP '{ip_clean}' is not in the VLAN subnet ({subnet}/{subnet_mask}).", 'error') return redirect(f'/{_PAGE}') ident = {'ip': ip_clean} desc = str(raw.get('description', '')).strip() if desc: ident['description'] = desc hostname_raw = str(raw.get('hostname', '')).strip() if hostname_raw: clean_hostname = sanitize.hostname(hostname_raw) if clean_hostname is None: flash(f"'{hostname_raw}' is not a valid hostname.", 'error') return redirect(f'/{_PAGE}') ident['hostname'] = clean_hostname new_identities.append(ident) identity_ips = [ident['ip'] for ident in new_identities] gateway_raw = sanitize.ip(request.form.get('gateway', '')) if gateway_raw and gateway_raw not in identity_ips: flash(f"Gateway '{gateway_raw}' must match one of the server identity IPs.", 'error') return redirect(f'/{_PAGE}') inferred_gw = (min(identity_ips, key=lambda ip: int(ip.split('.')[-1])) if identity_ips else '') new_stored_gw = gateway_raw if (gateway_raw and gateway_raw != inferred_gw) else '' dns_override = 'dns_server_override' in request.form dns_ips = [] for _line in request.form.get('dns_server', '').splitlines(): _line = _line.strip() if not _line: continue _clean = sanitize.ip(_line) if not _clean: flash(f"'{_line}' is not a valid DNS server IP.", 'error') return redirect(f'/{_PAGE}') dns_ips.append(_clean) new_stored_dns = dns_ips if dns_override else [] ntp_override = 'ntp_server_override' in request.form ntp_ips = [] for _line in request.form.get('ntp_server', '').splitlines(): _line = _line.strip() if not _line: continue _clean = sanitize.ip(_line) if not _clean: flash(f"'{_line}' is not a valid NTP server IP.", 'error') return redirect(f'/{_PAGE}') ntp_ips.append(_clean) new_stored_ntp = ntp_ips if ntp_override else [] dhcp_domain_raw = request.form.get('dhcp_domain', '').strip() dhcp_domain = sanitize.hostname(dhcp_domain_raw) if dhcp_domain_raw else 'local' if dhcp_domain_raw and dhcp_domain is None: flash(f"'{dhcp_domain_raw}' is not a valid domain name.", 'error') return redirect(f'/{_PAGE}') cfg = load_config() vlans = cfg.setdefault('vlans', []) if any(v.get('vlan_id') == vlan_id for v in vlans): flash(f'VLAN ID {vlan_id} is already in use.', 'error') return redirect(f'/{_PAGE}') if radius_default and any(v.get('radius_default') for v in vlans): flash('Only one VLAN can be the RADIUS default.', 'error') return redirect(f'/{_PAGE}') dhcp_info = {} if dhcp_domain and dhcp_domain != 'local': dhcp_info['domain'] = dhcp_domain dhcp_overrides = {} if new_stored_gw: dhcp_overrides['gateway'] = new_stored_gw if new_stored_dns: dhcp_overrides['dns_server'] = new_stored_dns if new_stored_ntp: dhcp_overrides['ntp_server'] = new_stored_ntp if dhcp_overrides: dhcp_info['explicit_overrides'] = dhcp_overrides entry = { 'name': name, 'vlan_id': vlan_id, 'is_vpn': is_vpn, 'subnet': subnet, 'subnet_mask': subnet_mask, 'dnsmasq_log_queries': dnsmasq_log_queries, 'use_blocklists': use_blocklists, 'radius_default': radius_default, 'mdns_reflection': mdns_reflection, 'server_identities': new_identities, } if dhcp_info: entry['dhcp_information'] = dhcp_info if is_vpn: entry['peers'] = [] else: entry['reservations'] = [] vlans.append(entry) errors = validate.validate_config(cfg) if errors: for msg in errors: flash(msg, 'error') return redirect(f'/{_PAGE}') flash(save_config_with_snapshot( cfg, path='vlans', key=name, operation='add', before=None, after={k: entry[k] for k in _VLAN_FIELDS if k in entry}, description=f'Added VLAN: {name} ({subnet}/{subnet_mask})', ), 'success') return redirect(f'/{_PAGE}') @bp.route('/action/networklayout/vlans_edit', methods=['POST']) @require_level('administrator') def vlans_edit(): idx = _row_index() if idx is None: flash('Invalid request.', 'error') return redirect(f'/{_PAGE}') name = sanitize.name(request.form.get('name', '')) vlan_id = sanitize.vlan_id(request.form.get('vlan_id', '')) subnet = sanitize.ip(request.form.get('subnet', '')) radius_default = 'radius_default' in request.form mdns_reflection = 'mdns_reflection' in request.form dnsmasq_log_queries = 'dnsmasq_log_queries' in request.form use_blocklists = sanitize.filterlist( request.form.getlist('use_blocklists'), {b.get('name') for b in load_config().get('dns_blocking', {}).get('blocklists', [])}, ) identity_ips_raw = [line.strip() for line in request.form.get('server_identity_ips', '').splitlines() if line.strip()] identity_ips = [] for raw_ip in identity_ips_raw: clean = sanitize.ip(raw_ip) if not clean: flash(f"'{raw_ip}' is not a valid IP address.", 'error') return redirect(f'/{_PAGE}') identity_ips.append(clean) identity_descs = request.form.get('server_identity_descriptions', '').splitlines() identity_hostnames = request.form.get('server_identity_hostnames', '').splitlines() subnet_mask_raw = request.form.get('subnet_mask') if subnet_mask_raw is not None: subnet_mask = sanitize.subnet_mask(subnet_mask_raw) if subnet_mask is None: flash('Invalid subnet prefix (must be 1-30).', 'error') return redirect(f'/{_PAGE}') else: subnet_mask = None if not name: flash('Name is required.', 'error') return redirect(f'/{_PAGE}') if vlan_id is None: flash('VLAN ID must be an integer between 1 and 4094.', 'error') return redirect(f'/{_PAGE}') if not subnet: flash('Subnet IP is required.', 'error') return redirect(f'/{_PAGE}') if not _hash_ok(): return redirect(f'/{_PAGE}') cfg = load_config() vlans = cfg.get('vlans', []) if idx < 0 or idx >= len(vlans): flash('VLAN not found.', 'error') return redirect(f'/{_PAGE}') existing = vlans[idx] is_vpn = existing.get('is_vpn', False) final_mask = subnet_mask if subnet_mask is not None else existing.get('subnet_mask', 24) if identity_ips: _vlan_net = ipaddress.IPv4Network(f'{subnet}/{final_mask}', strict=False) for _ip in identity_ips: if ipaddress.IPv4Address(_ip) not in _vlan_net: flash(f"Server identity IP '{_ip}' is not in the VLAN subnet ({subnet}/{final_mask}).", 'error') return redirect(f'/{_PAGE}') current_id = existing.get('vlan_id') if current_id == 1 and vlan_id != 1: flash('VLAN 1 is the physical interface and cannot change its ID.', 'error') return redirect(f'/{_PAGE}') if vlan_id != current_id and any(v.get('vlan_id') == vlan_id for i, v in enumerate(vlans) if i != idx): flash(f'VLAN ID {vlan_id} is already in use.', 'error') return redirect(f'/{_PAGE}') if radius_default and any(i != idx and v.get('radius_default') for i, v in enumerate(vlans)): flash('Only one VLAN can be the RADIUS default.', 'error') return redirect(f'/{_PAGE}') old_identities = existing.get('server_identities', []) new_identities = [] for i, ip in enumerate(identity_ips): entry = dict(old_identities[i]) if i < len(old_identities) else {} entry['ip'] = ip desc = identity_descs[i].strip() if i < len(identity_descs) else '' if desc: entry['description'] = desc else: entry.pop('description', None) hostname_raw = identity_hostnames[i].strip() if i < len(identity_hostnames) else '' if hostname_raw: clean_hostname = sanitize.hostname(hostname_raw) if clean_hostname is None: flash(f"'{hostname_raw}' is not a valid hostname.", 'error') return redirect(f'/{_PAGE}') entry['hostname'] = clean_hostname else: entry.pop('hostname', None) new_identities.append(entry) gateway_raw = sanitize.ip(request.form.get('gateway', '')) if gateway_raw and gateway_raw not in identity_ips: flash(f"Gateway '{gateway_raw}' must match one of the server identity IPs.", 'error') return redirect(f'/{_PAGE}') inferred_gw = (min(identity_ips, key=lambda ip: int(ip.split('.')[-1])) if identity_ips else '') new_stored_gw = gateway_raw if (gateway_raw and gateway_raw != inferred_gw) else '' existing_gw = existing.get('dhcp_information', {}).get('explicit_overrides', {}).get('gateway', '') dns_override = 'dns_server_override' in request.form dns_ips = [] for _line in request.form.get('dns_server', '').splitlines(): _line = _line.strip() if not _line: continue _clean = sanitize.ip(_line) if not _clean: flash(f"'{_line}' is not a valid DNS server IP.", 'error') return redirect(f'/{_PAGE}') dns_ips.append(_clean) if dns_override and not dns_ips: flash('At least one DNS server IP is required when override is enabled.', 'error') return redirect(f'/{_PAGE}') if dns_override and dns_ips: _vlan_net = ipaddress.IPv4Network(f'{subnet}/{final_mask}', strict=False) for _ip in dns_ips: if ipaddress.IPv4Address(_ip) not in _vlan_net: flash(f"DNS server '{_ip}' is not in the VLAN subnet ({subnet}/{final_mask}).", 'error') return redirect(f'/{_PAGE}') new_stored_dns = dns_ips if dns_override else [] _existing_dns = existing.get('dhcp_information', {}).get('explicit_overrides', {}).get('dns_server', []) existing_dns = _existing_dns if isinstance(_existing_dns, list) else ([_existing_dns] if _existing_dns else []) ntp_override = 'ntp_server_override' in request.form ntp_ips = [] for _line in request.form.get('ntp_server', '').splitlines(): _line = _line.strip() if not _line: continue _clean = sanitize.ip(_line) if not _clean: flash(f"'{_line}' is not a valid NTP server IP.", 'error') return redirect(f'/{_PAGE}') ntp_ips.append(_clean) if ntp_override and not ntp_ips: flash('At least one NTP server IP is required when override is enabled.', 'error') return redirect(f'/{_PAGE}') if ntp_override and ntp_ips: _vlan_net = ipaddress.IPv4Network(f'{subnet}/{final_mask}', strict=False) for _ip in ntp_ips: if ipaddress.IPv4Address(_ip) not in _vlan_net: flash(f"NTP server '{_ip}' is not in the VLAN subnet ({subnet}/{final_mask}).", 'error') return redirect(f'/{_PAGE}') new_stored_ntp = ntp_ips if ntp_override else [] _existing_ntp = existing.get('dhcp_information', {}).get('explicit_overrides', {}).get('ntp_server', []) existing_ntp = _existing_ntp if isinstance(_existing_ntp, list) else ([_existing_ntp] if _existing_ntp else []) _ids_unchanged = ( len(new_identities) == len(old_identities) and all( n.get('ip') == o.get('ip') and n.get('description', '') == o.get('description', '') and n.get('hostname', '') == o.get('hostname', '') for n, o in zip(new_identities, old_identities) ) ) if (name == existing.get('name', '') and vlan_id == existing.get('vlan_id') and subnet == existing.get('subnet', '') and final_mask == existing.get('subnet_mask', 24) and dnsmasq_log_queries == bool(existing.get('dnsmasq_log_queries', False)) and radius_default == bool(existing.get('radius_default', False)) and mdns_reflection == bool(existing.get('mdns_reflection', False)) and sorted(use_blocklists) == sorted(existing.get('use_blocklists', [])) and _ids_unchanged and new_stored_gw == existing_gw and new_stored_dns == existing_dns and new_stored_ntp == existing_ntp): flash('No changes were made.', 'info') return redirect(f'/{_PAGE}') before = {k: existing.get(k) for k in _VLAN_FIELDS} existing.update({ 'name': name, 'vlan_id': vlan_id, 'is_vpn': is_vpn, 'subnet': subnet, 'subnet_mask': final_mask, 'dnsmasq_log_queries': dnsmasq_log_queries, 'radius_default': radius_default, 'mdns_reflection': mdns_reflection, 'use_blocklists': use_blocklists, 'server_identities': new_identities, }) dhcp_overrides = existing.setdefault('dhcp_information', {}).setdefault('explicit_overrides', {}) if new_stored_gw: dhcp_overrides['gateway'] = new_stored_gw else: dhcp_overrides.pop('gateway', None) if new_stored_dns: dhcp_overrides['dns_server'] = new_stored_dns else: dhcp_overrides.pop('dns_server', None) if new_stored_ntp: dhcp_overrides['ntp_server'] = new_stored_ntp else: dhcp_overrides.pop('ntp_server', None) if not dhcp_overrides: existing.get('dhcp_information', {}).pop('explicit_overrides', None) errors = validate.validate_config(cfg) if errors: for msg in errors: flash(msg, 'error') return redirect(f'/{_PAGE}') flash(save_config_with_snapshot( cfg, path='vlans', key=name, operation='edit', before=before, after={k: existing.get(k) for k in _VLAN_FIELDS}, description=f'Edited VLAN: {name}', ), 'success') return redirect(f'/{_PAGE}') @bp.route('/action/networklayout/vlans_delete', methods=['POST']) @require_level('administrator') def vlans_delete(): idx = _row_index() if idx is None: flash('Invalid request.', 'error') return redirect(f'/{_PAGE}') if not _hash_ok(): return redirect(f'/{_PAGE}') cfg = load_config() vlans = cfg.get('vlans', []) if idx < 0 or idx >= len(vlans): flash('VLAN not found.', 'error') return redirect(f'/{_PAGE}') removed = vlans.pop(idx) errors = validate.validate_config(cfg) if errors: for msg in errors: flash(msg, 'error') return redirect(f'/{_PAGE}') flash(save_config_with_snapshot( cfg, path='vlans', key=removed['name'], operation='delete', before={k: removed.get(k) for k in _VLAN_FIELDS}, after=None, description=f'Deleted VLAN: {removed["name"]}', ), 'success') return redirect(f'/{_PAGE}')