Fixed handling of 'ipv4_only' with 'foreach'

hknutzen · hknutzen · commit 39768b5a1616 · 2026-02-13T11:38:13.000+01:00
This closes #52
diff --git a/go/pkg/pass1/normalize-services.go b/go/pkg/pass1/normalize-services.go
@@ -1,6 +1,7 @@
 package pass1
 
 import (
+	"fmt"
 	"slices"
 )
 
@@ -160,6 +161,7 @@ func (c *spoc) splitCombined46(l groupObjList, s *service,
 		} else if check && obj.isIPv6() != s.ipV6Only {
 			c.err("Must not use %s %s with 'ipv%s_only' of %s",
 				ipvx(obj.isIPv6()), obj, cond(s.ipV6Only, "6", "4"), s)
+			continue
 		}
 		if obj.isIPv6() {
 			v6.push(obj)
@@ -171,9 +173,6 @@ func (c *spoc) splitCombined46(l groupObjList, s *service,
 }
 
 func (c *spoc) checkCombined46(v4, v6 groupObjList, s *service) {
-	if s.ipV4Only || s.ipV6Only {
-		return
-	}
 	isOtherAggInCluster := func(ob groupObj) bool {
 		if agg, ok := ob.(*network); ok && agg.isAggregate {
 			if z := agg.zone; z != z.cluster[0] {
@@ -248,14 +247,6 @@ func (c *spoc) normalizeSrcDstList(
 			c.checkCombined46(dstList4, dstList6, s)
 		}
 	} else {
-		if s.ipV4Only {
-			c.err("Must not use 'ipv4_only' in %s,"+
-				" because no combined IPv4/IPv6 objects are in use", s)
-		}
-		if s.ipV6Only {
-			c.err("Must not use 'ipv6_only' in %s,"+
-				" because no combined IPv4/IPv6 objects are in use", s)
-		}
 		if srcList4 != nil && dstList6 != nil {
 			c.err("Must not use IPv4 %s and IPv6 %s together in %s",
 				srcList4[0], dstList6[0], s)
@@ -324,7 +315,7 @@ func (c *spoc) normalizeSrcDstList(
 func (c *spoc) normalizeServiceRules(s *service, sRules *serviceRules) {
 	user := c.expandUser(s)
 	hasRules := false
-	for _, uRule := range s.rules {
+	for i, uRule := range s.rules {
 		deny := uRule.action == "deny"
 		var store *serviceRuleList
 		if deny {
@@ -338,8 +329,10 @@ func (c *spoc) normalizeServiceRules(s *service, sRules *serviceRules) {
 			continue
 		}
 		simplePrtList, complexPrtList := classifyProtocols(prtList)
+		has46 := false
 		process := func(elt groupObjList) {
-			srcDstListPairs, has46 := c.normalizeSrcDstList(uRule, elt, s)
+			srcDstListPairs, is46Rule := c.normalizeSrcDstList(uRule, elt, s)
+			has46 = has46 || is46Rule
 			for _, srcDstList := range srcDstListPairs {
 				srcList, dstList := srcDstList[0], srcDstList[1]
 				if srcList != nil || dstList != nil {
@@ -404,6 +397,25 @@ func (c *spoc) normalizeServiceRules(s *service, sRules *serviceRules) {
 		} else {
 			process(user)
 		}
+		if !has46 {
+			inRule := func() string {
+				if len(s.rules) > 1 {
+					return fmt.Sprintf("for rule %d of %s", i+1, s)
+				} else {
+					return fmt.Sprintf("in %s", s)
+				}
+			}
+			if s.ipV4Only {
+				c.warn("Ignoring 'ipv4_only' %s,"+
+					" because no combined IPv4/IPv6 objects are in use",
+					inRule())
+			}
+			if s.ipV6Only {
+				c.warn("Ignoring 'ipv6_only' %s,"+
+					" because no combined IPv4/IPv6 objects are in use",
+					inRule())
+			}
+		}
 	}
 	if !hasRules && len(user) == 0 {
 		c.warn("Must not define %s with empty users and empty rules", s.name)
diff --git a/go/testdata/ipv46-combined.t b/go/testdata/ipv46-combined.t
@@ -150,13 +150,15 @@ network:n1 = { ip6 = 2001:db8:1:1::/64; }
 network:n2 = { ip6 = 2001:db8:1:2::/64; }
 network:n3 = { ip = 10.1.3.0/24; }
 network:n4 = { ip = 10.1.4.0/24; }
+network:n5 = { ip = 10.1.5.0/24; ip6 = 2001:db8:1:5::/64; }
 router:r1 = {
  managed;
  model = ASA;
  interface:n1 = { ip6 = 2001:db8:1:1::1; hardware = n1; }
  interface:n2 = { ip6 = 2001:db8:1:2::1; hardware = n2; }
  interface:n3 = { ip = 10.1.3.1; hardware = n3; }
  interface:n4 = { ip = 10.1.4.1; hardware = n4; }
+ interface:n5 = { ip = 10.1.5.1; ip6 = 2001:db8:1:5::1; hardware = n5; }
 }
 
 service:s1 = {
@@ -167,11 +169,12 @@ service:s1 = {
 service:s2 = {
  ipv4_only;
  user = network:n3;
- permit src = user; dst = network:n4; prt = tcp 80;
+ permit src = user; dst = network:n5; prt = tcp 80;
+ permit src = user; dst = network:n4; prt = tcp 81;
 }
-=ERROR=
-Error: Must not use 'ipv6_only' in service:s1, because no combined IPv4/IPv6 objects are in use
-Error: Must not use 'ipv4_only' in service:s2, because no combined IPv4/IPv6 objects are in use
+=WARNING=
+Warning: Ignoring 'ipv6_only' in service:s1, because no combined IPv4/IPv6 objects are in use
+Warning: Ignoring 'ipv4_only' for rule 2 of service:s2, because no combined IPv4/IPv6 objects are in use
 =END=
 
 ############################################################
@@ -237,6 +240,40 @@ service:s1 = {
 Error: Must not use only IPv6 part of dual stack object network:n1 in service:s1
 =END=
 
+############################################################
+=TITLE=Dual stack aggregates in zone cluster
+# Must not show this error message:
+# Must not use only IPv4 part of dual stack object any:[network:n1]
+=INPUT=
+network:n0 = { ip = 10.1.0.0/24; ip6 = 2001:db8:1:0::/64; }
+network:n1 = { ip = 10.1.1.0/24; ip6 = 2001:db8:1:1::/64; }
+network:n2 = { ip = 10.1.2.0/24; ip6 = 2001:db8:1:2::/64; }
+router:u = {
+ managed = routing_only;
+ model = IOS;
+ interface:n0 = { ip = 10.1.0.1; ip6 = 2001:db8:1:0::1; hardware = n0; }
+ interface:n1 = { ip = 10.1.1.2; ip6 = 2001:db8:1:1::2; hardware = n1; }
+}
+router:r1 = {
+ managed;
+ routing = manual;
+ model = IOS;
+ interface:n1 = { ip = 10.1.1.1; ip6 = 2001:db8:1:1::1; hardware = n1; }
+ interface:n2 = { ip = 10.1.2.1; ip6 = 2001:db8:1:2::1; hardware = n2; }
+}
+service:s1 = {
+ user = any:[network:n0];
+ permit src = network:n2; dst = user; prt = tcp 80;
+}
+=OUTPUT=
+--r1
+ip access-list extended n2_in
+ deny ip any host 10.1.1.1
+ deny ip any host 10.1.2.1
+ permit tcp 10.1.2.0 0.0.0.255 any eq 80
+ deny ip any any
+=END=
+
 ############################################################
 =TITLE=Aggregate from IPv6 network in dual stack zone cluster
 =INPUT=
@@ -2259,3 +2296,53 @@ service:s4 = {
  permit src = network:[user]; dst = user; prt = tcp 22;
 }
 =WARNING=NONE
+
+############################################################
+=TITLE=V4 only and dual stack objects in service with ipv4_only + foreach
+=INPUT=
+network:n1 = { ip = 10.1.1.0/24; }
+network:n2 = { ip = 10.1.2.0/24; ip6 = 2001:db8:1:2::/64; }
+router:r1 = {
+ managed;
+ model = IOS;
+ interface:n1 = { ip = 10.1.1.1; hardware = n1; }
+ interface:n2 = { ip = 10.1.2.1; ip6 = 2001:db8:1:2::1; hardware = n2; }
+}
+service:s1 = {
+ ipv4_only;
+ user = foreach interface:r1.[all];
+ permit src = any:[user]; dst = user; prt = icmp 8;
+}
+=OUTPUT=
+--r1
+! [ ACL ]
+ip access-list extended n1_in
+ permit icmp any host 10.1.1.1 8
+ deny ip any any
+--
+ip access-list extended n2_in
+ permit icmp any host 10.1.2.1 8
+ deny ip any any
+--ipv6/r1
+! [ ACL ]
+ipv6 access-list n2_in
+ deny ipv6 any any
+=END=
+
+############################################################
+=TITLE=Service with ipv4_only + foreach having only v4 objects
+=INPUT=
+network:n1 = { ip = 10.1.1.0/24; }
+router:r1 = {
+ managed;
+ model = IOS;
+ interface:n1 = { ip = 10.1.1.1; hardware = n1; }
+}
+service:s1 = {
+ ipv4_only;
+ user = foreach interface:r1.[all];
+ permit src = any:[user]; dst = user; prt = icmp 8;
+}
+=WARNING=
+Warning: Ignoring 'ipv4_only' in service:s1, because no combined IPv4/IPv6 objects are in use
+=END=
