New Features
DNS DNAT Detection & Validation (#89)
Analyzes DNS redirect (DNAT) rules for security gaps:
- Partial Coverage Detection - Warns when DNAT rules don't cover all networks
- Single IP DNAT - Flags rules using single IPs instead of network ranges
- Invalid Destination - Detects DNAT rules pointing to non-gateway IPs
UPnP Security Analyzer (#90)
Comprehensive UPnP and port forwarding security analysis:
- UPnP Status Monitoring - INFO when enabled on Home networks, WARNING if no Home network present
- Privileged Port Detection - Flags system ports (<1024) exposed via UPnP or static forwards
- Source IP Restriction Checks - Warns about unrestricted privileged port forwards on Home networks
- Static Port Forward Tracking - Documents intentional port forwards with links to UPnP Inspector
Wired Subnet Mismatch Detection
New audit rule (PORT-SUBNET-001) detects IP/VLAN mismatches on wired ports:
- Catches stale fixed IPs from previous VLAN assignments
- Detects port VLAN changes without DHCP renewal
- Critical severity with 10 point score impact
Firewall Group Flattening (#88)
Port and IP list firewall groups are now expanded for accurate rule analysis
Gaming/Entertainment Network Classification
Enhanced VLAN classification with word boundary matching:
- Gaming patterns (xbox, playstation, games) → Home purpose
- Entertainment patterns (streaming, theater, a/v) → IoT purpose
Improvements
- Clickable links for "UPnP Inspector" and "Settings" in audit issue text
- Fixed title truncation for VLAN subnet mismatch issues
- Source restriction detection properly checks
src_limiting_enabledflag - Supports both firewall group and IP-based source restrictions
Test Coverage
- 3,269 total tests passing
- 33 UPnP analyzer tests
- 31 wired subnet mismatch tests
- 21 VLAN classification tests
- 616 DNAT DNS analyzer tests