Check if supernet of missing dual stack part is present

Drachionix · Drachionix · commit 80fd145dd560 · 2025-07-07T17:06:51.000+02:00
This closes #30
diff --git a/go/pkg/pass1/normalize-services.go b/go/pkg/pass1/normalize-services.go
@@ -2,6 +2,7 @@ package pass1
 
 import (
 	"net/netip"
+	"slices"
 )
 
 //#############################################################################
@@ -188,19 +189,45 @@ func (c *spoc) checkCombined46(v4, v6 groupObjList, s *service) {
 			m[ob.String()] = true
 		}
 	}
+
+	// Check if supernet of dual stack network is used in service
+	// because the network might be deleted by optimization.
+	checkSup := func(l, ol groupObjList, nm string) bool {
+		i := slices.IndexFunc(l, func(o groupObj) bool {
+			return o.String() == nm
+		})
+		ob := l[i]
+		if net, ok := ob.(*network); ok {
+			otherPart := net.combined46
+			up := otherPart.up
+			for up != nil {
+				if slices.ContainsFunc(ol, func(o groupObj) bool {
+					return o == up
+				}) {
+					return true
+				}
+				up = up.up
+			}
+		}
+		return false
+	}
+
 	for _, ob := range v4 {
 		if ob.isCombined46() && !isOtherAggInCluster(ob) {
 			if m[ob.String()] {
 				delete(m, ob.String())
-			} else {
+			} else if !checkSup(v4, v6, ob.String()) {
 				c.err(
 					"Must not use only IPv4 part of dual stack object %s in %s",
 					ob, s)
 			}
 		}
 	}
+
 	for nm := range m {
-		c.err("Must not use only IPv6 part of dual stack object %s in %s", nm, s)
+		if !checkSup(v6, v4, nm) {
+			c.err("Must not use only IPv6 part of dual stack object %s in %s", nm, s)
+		}
 	}
 }
 
diff --git a/go/testdata/ipv46-combined.t b/go/testdata/ipv46-combined.t
@@ -233,6 +233,56 @@ service:s1 = {
 Error: Must not use only IPv4 part of dual stack object network:n1 in service:s1
 =END=
 
+############################################################
+=TITLE=Ignore optimized deletion of v4 subnet in rule if supernet is present
+=INPUT=
+network:sup0 = { ip = 10.1.0.0/16; }
+network:sup1 = { ip = 10.1.1.0/24; subnet_of = network:sup0; }
+network:n1 = { ip = 10.1.1.0/28; ip6 = 2001:db8:1::/64; subnet_of = network:sup1;}
+network:n2 = { ip = 10.2.2.0/24; ip6 = 2001:db8:2::/64; host:h2 = { ip = 10.2.2.2; ip6 = 2001:db8:2::2; }}
+
+router:u1 = {
+ interface:n1 = { ip = 10.1.1.2; }
+ interface:sup0;
+ interface:sup1;
+}
+
+router:r1 = {
+ managed;
+ model = IOS;
+ interface:n1 = { ip = 10.1.1.1; ip6 = 2001:db8:1::1; hardware = n1; }
+ interface:n2 = { ip = 10.2.2.1; ip6 = 2001:db8:2::1; hardware = n2; }
+}
+service:s1 = {
+ user = network:[any:[network:sup0]];
+ permit src = user; dst = host:h2; prt = tcp 80;
+}
+=WARNING=NONE
+
+############################################################
+=TITLE=Ignore optimized deletion of v6 subnet in rule if supernet is present
+=INPUT=
+network:sup = { ip6 = 2001:db8:1::/60; has_subnets; }
+network:n1 = { ip = 10.1.1.0/24; ip6 = 2001:db8:1:1::/64; }
+network:n2 = { ip = 10.1.2.0/24; ip6 = 2001:db8:9:2::/64; }
+router:u = {
+ interface:sup;
+ interface:n1;
+}
+router:r1 = {
+ managed;
+ routing = manual;
+ model = IOS;
+ interface:n1 = { ip = 10.1.1.1; ip6 = 2001:db8:1:1::1; hardware = n1; }
+ interface:n2 = { ip = 10.1.2.1; ip6 = 2001:db8:9:2::1; hardware = n2; }
+}
+service:s1 = {
+ user = network:[any:[network:sup]];
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+=WARNING=NONE
+
+
 ############################################################
 =TITLE=Must not use only v4 part of dual stack aggregate in zone cluster
 =INPUT=
