Skip to content

Commit b7320b0

Browse files
committed
Fixed missing check for attribute 'invisible'
This fixes #43
1 parent 8dc4b73 commit b7320b0

File tree

4 files changed

+169
-1
lines changed

4 files changed

+169
-1
lines changed

CHANGELOG.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
88

99
### Fixed
1010

11+
- Secondary optimization is enabled for network having invisible aggregate
12+
as supernet.
1113
- Only matching networks of attribute 'merge_tunnelspecified'
1214
are added to split-tunnel ACL.
1315

go/pkg/pass1/find-subnets.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -594,7 +594,7 @@ func markSupernetsOfAggregates(
594594
identical map[*network]netList,
595595
) {
596596
for _, a := range networks {
597-
if a.isAggregate {
597+
if a.isAggregate && !a.invisible {
598598
ipp := a.ipp
599599
ip := ipp.Addr()
600600
bits := ipp.Bits()

go/testdata/ipv6/secondary_ipv6.t

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -472,6 +472,89 @@ access-list n2_in extended deny ip any6 any6
472472
access-group n2_in in interface n2
473473
=END=
474474

475+
############################################################
476+
=TITLE=No optimization with same size aggregate in other zone
477+
=INPUT=
478+
network:n1 = { ip6 = ::a01:100/120;
479+
host:h10 = { ip6 = ::a01:10a; }
480+
host:h12 = { ip6 = ::a01:10c; }
481+
}
482+
network:n2 = { ip6 = ::a01:200/120; }
483+
network:n3 = { ip6 = ::a01:300/120; }
484+
network:n4 = { ip6 = ::a01:400/120; }
485+
router:r1 = {
486+
model = ASA;
487+
managed;
488+
interface:n1 = { ip6 = ::a01:101; hardware = n1; }
489+
interface:n2 = { ip6 = ::a01:201; hardware = n2; }
490+
interface:n3 = { ip6 = ::a01:301; hardware = n3; }
491+
}
492+
router:r2 = {
493+
model = ASA;
494+
managed = secondary;
495+
interface:n2 = { ip6 = ::a01:202; hardware = n2; }
496+
interface:n4 = { ip6 = ::a01:401; hardware = n4; }
497+
}
498+
499+
service:any = {
500+
user = any:[ip6 = ::a01:100/120 & network:n3];
501+
permit src = user; dst = network:n2; prt = tcp 80;
502+
}
503+
service:s1 = {
504+
user = host:h10, host:h12;
505+
permit src = user; dst = network:n4; prt = tcp 81;
506+
}
507+
=OUTPUT=
508+
--ipv6/r2
509+
! n2_in
510+
object-group network v6g0
511+
network-object host ::a01:10a
512+
network-object host ::a01:10c
513+
access-list n2_in extended permit ip object-group v6g0 ::a01:400/120
514+
access-list n2_in extended deny ip any6 any6
515+
access-group n2_in in interface n2
516+
=END=
517+
518+
############################################################
519+
=TITLE=Optimize with same size invisible aggregate in other zone
520+
=INPUT=
521+
network:n1 = { ip6 = ::a01:100/120;
522+
host:h10 = { ip6 = ::a01:10a; }
523+
host:h12 = { ip6 = ::a01:10c; }
524+
}
525+
network:n2 = { ip6 = ::a01:200/120; }
526+
network:n3 = { ip6 = ::a01:300/120; }
527+
network:n4 = { ip6 = ::a01:400/120; }
528+
router:r1 = {
529+
model = ASA;
530+
managed;
531+
interface:n1 = { ip6 = ::a01:101; hardware = n1; }
532+
interface:n2 = { ip6 = ::a01:201; hardware = n2; }
533+
interface:n3 = { ip6 = ::a01:301; hardware = n3; }
534+
}
535+
router:r2 = {
536+
model = ASA;
537+
managed = secondary;
538+
interface:n2 = { ip6 = ::a01:202; hardware = n2; }
539+
interface:n4 = { ip6 = ::a01:401; hardware = n4; }
540+
}
541+
542+
service:any = {
543+
user = network:[any:[ip6 = ::a01:100/120 & network:n3]];
544+
permit src = user; dst = network:n2; prt = tcp 80;
545+
}
546+
service:s1 = {
547+
user = host:h10, host:h12;
548+
permit src = user; dst = network:n4; prt = tcp 81;
549+
}
550+
=OUTPUT=
551+
--ipv6/r2
552+
! n2_in
553+
access-list n2_in extended permit ip ::a01:100/120 ::a01:400/120
554+
access-list n2_in extended deny ip any6 any6
555+
access-group n2_in in interface n2
556+
=END=
557+
475558
############################################################
476559
=TITLE=Optimize even if src range is different
477560
=INPUT=

go/testdata/secondary.t

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -472,6 +472,89 @@ access-list n2_in extended deny ip any4 any4
472472
access-group n2_in in interface n2
473473
=END=
474474

475+
############################################################
476+
=TITLE=No optimization with same size aggregate in other zone
477+
=INPUT=
478+
network:n1 = { ip = 10.1.1.0/24;
479+
host:h10 = { ip = 10.1.1.10; }
480+
host:h12 = { ip = 10.1.1.12; }
481+
}
482+
network:n2 = { ip = 10.1.2.0/24; }
483+
network:n3 = { ip = 10.1.3.0/24; }
484+
network:n4 = { ip = 10.1.4.0/24; }
485+
router:r1 = {
486+
model = ASA;
487+
managed;
488+
interface:n1 = { ip = 10.1.1.1; hardware = n1; }
489+
interface:n2 = { ip = 10.1.2.1; hardware = n2; }
490+
interface:n3 = { ip = 10.1.3.1; hardware = n3; }
491+
}
492+
router:r2 = {
493+
model = ASA;
494+
managed = secondary;
495+
interface:n2 = { ip = 10.1.2.2; hardware = n2; }
496+
interface:n4 = { ip = 10.1.4.1; hardware = n4; }
497+
}
498+
499+
service:any = {
500+
user = any:[ip = 10.1.1.0/24 & network:n3];
501+
permit src = user; dst = network:n2; prt = tcp 80;
502+
}
503+
service:s1 = {
504+
user = host:h10, host:h12;
505+
permit src = user; dst = network:n4; prt = tcp 81;
506+
}
507+
=OUTPUT=
508+
--r2
509+
! n2_in
510+
object-group network g0
511+
network-object host 10.1.1.10
512+
network-object host 10.1.1.12
513+
access-list n2_in extended permit ip object-group g0 10.1.4.0 255.255.255.0
514+
access-list n2_in extended deny ip any4 any4
515+
access-group n2_in in interface n2
516+
=END=
517+
518+
############################################################
519+
=TITLE=Optimize with same size invisible aggregate in other zone
520+
=INPUT=
521+
network:n1 = { ip = 10.1.1.0/24;
522+
host:h10 = { ip = 10.1.1.10; }
523+
host:h12 = { ip = 10.1.1.12; }
524+
}
525+
network:n2 = { ip = 10.1.2.0/24; }
526+
network:n3 = { ip = 10.1.3.0/24; }
527+
network:n4 = { ip = 10.1.4.0/24; }
528+
router:r1 = {
529+
model = ASA;
530+
managed;
531+
interface:n1 = { ip = 10.1.1.1; hardware = n1; }
532+
interface:n2 = { ip = 10.1.2.1; hardware = n2; }
533+
interface:n3 = { ip = 10.1.3.1; hardware = n3; }
534+
}
535+
router:r2 = {
536+
model = ASA;
537+
managed = secondary;
538+
interface:n2 = { ip = 10.1.2.2; hardware = n2; }
539+
interface:n4 = { ip = 10.1.4.1; hardware = n4; }
540+
}
541+
542+
service:any = {
543+
user = network:[any:[ip = 10.1.1.0/24 & network:n3]];
544+
permit src = user; dst = network:n2; prt = tcp 80;
545+
}
546+
service:s1 = {
547+
user = host:h10, host:h12;
548+
permit src = user; dst = network:n4; prt = tcp 81;
549+
}
550+
=OUTPUT=
551+
--r2
552+
! n2_in
553+
access-list n2_in extended permit ip 10.1.1.0 255.255.255.0 10.1.4.0 255.255.255.0
554+
access-list n2_in extended deny ip any4 any4
555+
access-group n2_in in interface n2
556+
=END=
557+
475558
############################################################
476559
=TITLE=Optimize even if src range is different
477560
=INPUT=

0 commit comments

Comments
 (0)