4 files changed, 69 insertions, 14 deletions

diff --git a/MediaBrowser.Common/Net/INetworkManager.cs b/MediaBrowser.Common/Net/INetworkManager.cs
index 78a391d36..bd785bcbc 100644
--- a/MediaBrowser.Common/Net/INetworkManager.cs
+++ b/MediaBrowser.Common/Net/INetworkManager.cs
@@ -95,12 +95,6 @@ namespace MediaBrowser.Common.Net
         string GetBindAddress(string source, out int? port);
 
         /// <summary>
-        /// Get a list of all the MAC addresses associated with active interfaces.
-        /// </summary>
-        /// <returns>List of MAC addresses.</returns>
-        IReadOnlyList<PhysicalAddress> GetMacAddresses();
-
-        /// <summary>
         /// Returns true if the address is part of the user defined LAN.
         /// </summary>
         /// <param name="address">IP to check.</param>
@@ -133,7 +127,7 @@ namespace MediaBrowser.Common.Net
         /// Checks if <paramref name="remoteIP"/> has access to the server.
         /// </summary>
         /// <param name="remoteIP">IP address of the client.</param>
-        /// <returns><b>True</b> if it has access, otherwise <b>false</b>.</returns>
-        bool HasRemoteAccess(IPAddress remoteIP);
+        /// <returns>The result of evaluating the access policy, <c>Allow</c> if it should be allowed.</returns>
+        RemoteAccessPolicyResult ShouldAllowServerAccess(IPAddress remoteIP);
     }
 }
diff --git a/MediaBrowser.Common/Net/NetworkConfiguration.cs b/MediaBrowser.Common/Net/NetworkConfiguration.cs
index 61a51c99e..053357296 100644
--- a/MediaBrowser.Common/Net/NetworkConfiguration.cs
+++ b/MediaBrowser.Common/Net/NetworkConfiguration.cs
@@ -110,6 +110,7 @@ public class NetworkConfiguration
     /// <summary>
     /// Gets or sets a value indicating whether to enable automatic port forwarding.
     /// </summary>
+    [Obsolete("No longer supported")]
     public bool EnableUPnP { get; set; }
 
     /// <summary>
diff --git a/MediaBrowser.Common/Net/NetworkUtils.cs b/MediaBrowser.Common/Net/NetworkUtils.cs
index e482089f0..24ed47a81 100644
--- a/MediaBrowser.Common/Net/NetworkUtils.cs
+++ b/MediaBrowser.Common/Net/NetworkUtils.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
+using System.Globalization;
 using System.Net;
 using System.Net.Sockets;
 using System.Text.RegularExpressions;
@@ -102,7 +103,7 @@ public static partial class NetworkUtils
         Span<byte> bytes = stackalloc byte[mask.AddressFamily == AddressFamily.InterNetwork ? NetworkConstants.IPv4MaskBytes : NetworkConstants.IPv6MaskBytes];
         if (!mask.TryWriteBytes(bytes, out var bytesWritten))
         {
-            Console.WriteLine("Unable to write address bytes, only ${bytesWritten} bytes written.");
+            Console.WriteLine("Unable to write address bytes, only {0} bytes written.", bytesWritten.ToString(CultureInfo.InvariantCulture));
         }
 
         var zeroed = false;
@@ -197,14 +198,25 @@ public static partial class NetworkUtils
     /// <returns><c>True</c> if parsing was successful.</returns>
     public static bool TryParseToSubnet(ReadOnlySpan<char> value, [NotNullWhen(true)] out IPNetwork? result, bool negated = false)
     {
+        // If multiple IP addresses are in a comma-separated string, the individual addresses may contain leading and/or trailing whitespace
         value = value.Trim();
+
+        bool isAddressNegated = false;
+        if (value.StartsWith('!'))
+        {
+            isAddressNegated = true;
+            value = value[1..]; // Remove leading '!' character
+        }
+
+        if (isAddressNegated != negated)
+        {
+            result = null;
+            return false;
+        }
+
         if (value.Contains('/'))
         {
-            if (negated && value.StartsWith("!") && IPNetwork.TryParse(value[1..], out result))
-            {
-                return true;
-            }
-            else if (!negated && IPNetwork.TryParse(value, out result))
+            if (IPNetwork.TryParse(value, out result))
             {
                 return true;
             }
@@ -325,4 +337,23 @@ public static partial class NetworkUtils
 
         return new IPAddress(BitConverter.GetBytes(broadCastIPAddress));
     }
+
+    /// <summary>
+    /// Check if a subnet contains an address. This method also handles IPv4 mapped to IPv6 addresses.
+    /// </summary>
+    /// <param name="network">The <see cref="IPNetwork"/>.</param>
+    /// <param name="address">The <see cref="IPAddress"/>.</param>
+    /// <returns>Whether the supplied IP is in the supplied network.</returns>
+    public static bool SubnetContainsAddress(IPNetwork network, IPAddress address)
+    {
+        ArgumentNullException.ThrowIfNull(address);
+        ArgumentNullException.ThrowIfNull(network);
+
+        if (address.IsIPv4MappedToIPv6)
+        {
+            address = address.MapToIPv4();
+        }
+
+        return network.Contains(address);
+    }
 }
diff --git a/MediaBrowser.Common/Net/RemoteAccessPolicyResult.cs b/MediaBrowser.Common/Net/RemoteAccessPolicyResult.cs
new file mode 100644
index 000000000..193d37228
--- /dev/null
+++ b/MediaBrowser.Common/Net/RemoteAccessPolicyResult.cs
@@ -0,0 +1,29 @@
+using System;
+
+namespace MediaBrowser.Common.Net;
+
+/// <summary>
+/// Result of <see cref="INetworkManager.ShouldAllowServerAccess" />.
+/// </summary>
+public enum RemoteAccessPolicyResult
+{
+    /// <summary>
+    /// The connection should be allowed.
+    /// </summary>
+    Allow,
+
+    /// <summary>
+    /// The connection should be rejected since it is not from a local IP and remote access is disabled.
+    /// </summary>
+    RejectDueToRemoteAccessDisabled,
+
+    /// <summary>
+    /// The connection should be rejected since it is from a blocklisted IP.
+    /// </summary>
+    RejectDueToIPBlocklist,
+
+    /// <summary>
+    /// The connection should be rejected since it is from a remote IP that is not in the allowlist.
+    /// </summary>
+    RejectDueToNotAllowlistedRemoteIP,
+}