Fixed missing check for attribute 'invisible'

This fixes #43

Author: hknutzen

CHANGELOG.md

@@ -8,6 +8,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 
 ### Fixed
 
+- Secondary optimization is enabled for network having invisible aggregate
+  as supernet.
 - Only matching networks of attribute 'merge_tunnelspecified'
   are added to split-tunnel ACL.
 

go/pkg/pass1/find-subnets.go

@@ -594,7 +594,7 @@ func markSupernetsOfAggregates(
 	identical map[*network]netList,
 ) {
 	for _, a := range networks {
-		if a.isAggregate {
+		if a.isAggregate && !a.invisible {
 			ipp := a.ipp
 			ip := ipp.Addr()
 			bits := ipp.Bits()

go/testdata/ipv6/secondary_ipv6.t

@@ -472,6 +472,89 @@ access-list n2_in extended deny ip any6 any6
 access-group n2_in in interface n2
 =END=
 
+############################################################
+=TITLE=No optimization with same size aggregate in other zone
+=INPUT=
+network:n1 = { ip6 = ::a01:100/120;
+ host:h10 = { ip6 = ::a01:10a; }
+ host:h12 = { ip6 = ::a01:10c; }
+}
+network:n2 = { ip6 = ::a01:200/120; }
+network:n3 = { ip6 = ::a01:300/120; }
+network:n4 = { ip6 = ::a01:400/120; }
+router:r1 = {
+ model = ASA;
+ managed;
+ interface:n1 = { ip6 = ::a01:101; hardware = n1; }
+ interface:n2 = { ip6 = ::a01:201; hardware = n2; }
+ interface:n3 = { ip6 = ::a01:301; hardware = n3; }
+}
+router:r2 = {
+ model = ASA;
+ managed = secondary;
+ interface:n2 = { ip6 = ::a01:202; hardware = n2; }
+ interface:n4 = { ip6 = ::a01:401; hardware = n4; }
+}
+
+service:any = {
+ user = any:[ip6 = ::a01:100/120 & network:n3];
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+service:s1 = {
+ user = host:h10, host:h12;
+ permit src = user; dst = network:n4; prt = tcp 81;
+}
+=OUTPUT=
+--ipv6/r2
+! n2_in
+object-group network v6g0
+ network-object host ::a01:10a
+ network-object host ::a01:10c
+access-list n2_in extended permit ip object-group v6g0 ::a01:400/120
+access-list n2_in extended deny ip any6 any6
+access-group n2_in in interface n2
+=END=
+
+############################################################
+=TITLE=Optimize with same size invisible aggregate in other zone
+=INPUT=
+network:n1 = { ip6 = ::a01:100/120;
+ host:h10 = { ip6 = ::a01:10a; }
+ host:h12 = { ip6 = ::a01:10c; }
+}
+network:n2 = { ip6 = ::a01:200/120; }
+network:n3 = { ip6 = ::a01:300/120; }
+network:n4 = { ip6 = ::a01:400/120; }
+router:r1 = {
+ model = ASA;
+ managed;
+ interface:n1 = { ip6 = ::a01:101; hardware = n1; }
+ interface:n2 = { ip6 = ::a01:201; hardware = n2; }
+ interface:n3 = { ip6 = ::a01:301; hardware = n3; }
+}
+router:r2 = {
+ model = ASA;
+ managed = secondary;
+ interface:n2 = { ip6 = ::a01:202; hardware = n2; }
+ interface:n4 = { ip6 = ::a01:401; hardware = n4; }
+}
+
+service:any = {
+ user = network:[any:[ip6 = ::a01:100/120 & network:n3]];
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+service:s1 = {
+ user = host:h10, host:h12;
+ permit src = user; dst = network:n4; prt = tcp 81;
+}
+=OUTPUT=
+--ipv6/r2
+! n2_in
+access-list n2_in extended permit ip ::a01:100/120 ::a01:400/120
+access-list n2_in extended deny ip any6 any6
+access-group n2_in in interface n2
+=END=
+
 ############################################################
 =TITLE=Optimize even if src range is different
 =INPUT=

go/testdata/secondary.t

@@ -472,6 +472,89 @@ access-list n2_in extended deny ip any4 any4
 access-group n2_in in interface n2
 =END=
 
+############################################################
+=TITLE=No optimization with same size aggregate in other zone
+=INPUT=
+network:n1 = { ip = 10.1.1.0/24;
+ host:h10 = { ip = 10.1.1.10; }
+ host:h12 = { ip = 10.1.1.12; }
+}
+network:n2 = { ip = 10.1.2.0/24; }
+network:n3 = { ip = 10.1.3.0/24; }
+network:n4 = { ip = 10.1.4.0/24; }
+router:r1 = {
+ model = ASA;
+ managed;
+ interface:n1 = { ip = 10.1.1.1; hardware = n1; }
+ interface:n2 = { ip = 10.1.2.1; hardware = n2; }
+ interface:n3 = { ip = 10.1.3.1; hardware = n3; }
+}
+router:r2 = {
+ model = ASA;
+ managed = secondary;
+ interface:n2 = { ip = 10.1.2.2; hardware = n2; }
+ interface:n4 = { ip = 10.1.4.1; hardware = n4; }
+}
+
+service:any = {
+ user = any:[ip = 10.1.1.0/24 & network:n3];
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+service:s1 = {
+ user = host:h10, host:h12;
+ permit src = user; dst = network:n4; prt = tcp 81;
+}
+=OUTPUT=
+--r2
+! n2_in
+object-group network g0
+ network-object host 10.1.1.10
+ network-object host 10.1.1.12
+access-list n2_in extended permit ip object-group g0 10.1.4.0 255.255.255.0
+access-list n2_in extended deny ip any4 any4
+access-group n2_in in interface n2
+=END=
+
+############################################################
+=TITLE=Optimize with same size invisible aggregate in other zone
+=INPUT=
+network:n1 = { ip = 10.1.1.0/24;
+ host:h10 = { ip = 10.1.1.10; }
+ host:h12 = { ip = 10.1.1.12; }
+}
+network:n2 = { ip = 10.1.2.0/24; }
+network:n3 = { ip = 10.1.3.0/24; }
+network:n4 = { ip = 10.1.4.0/24; }
+router:r1 = {
+ model = ASA;
+ managed;
+ interface:n1 = { ip = 10.1.1.1; hardware = n1; }
+ interface:n2 = { ip = 10.1.2.1; hardware = n2; }
+ interface:n3 = { ip = 10.1.3.1; hardware = n3; }
+}
+router:r2 = {
+ model = ASA;
+ managed = secondary;
+ interface:n2 = { ip = 10.1.2.2; hardware = n2; }
+ interface:n4 = { ip = 10.1.4.1; hardware = n4; }
+}
+
+service:any = {
+ user = network:[any:[ip = 10.1.1.0/24 & network:n3]];
+ permit src = user; dst = network:n2; prt = tcp 80;
+}
+service:s1 = {
+ user = host:h10, host:h12;
+ permit src = user; dst = network:n4; prt = tcp 81;
+}
+=OUTPUT=
+--r2
+! n2_in
+access-list n2_in extended permit ip 10.1.1.0 255.255.255.0 10.1.4.0 255.255.255.0
+access-list n2_in extended deny ip any4 any4
+access-group n2_in in interface n2
+=END=
+
 ############################################################
 =TITLE=Optimize even if src range is different
 =INPUT=