Must not mix rules from "managed=local" when finding object-groups
Closed this issue · 1 comments
hknutzen commented
Netspoc combines multiple similar rules to one rule that references object-groups. Access-lists generated by Netspoc never have alternating deny and permit rules. It uses only one set of deny rules at the beginning and one set of permit rules at the end of an access-list. When combining rules, Netspoc can freely change the order of permit rules (and of deny rules).
But if the feature "managed = local" is enabled, additional deny rules are added at the end of an access-list and one additional permit any any rules is added at the very end.
In this situation, Netspoc combines unrelated permit rules by mistake.
Test case
network:n1 = { ip = 10.2.1.0/24; }
router:r = {
model = ASA;
managed = local;
filter_only = 10.2.0.0/16;
interface:n1 = { ip = 10.2.1.1; hardware = n1; }
interface:n2 = { ip = 10.2.2.1; hardware = n2; }
}
network:n2 = { ip = 10.2.2.0/24; }
service:t1 = {
user = any:[network:n1];
permit src = user; dst = network:n2; prt = ip;
}
Error message:
Internal error in Netspoc::__ANON__: Unexpected object with mask 0 in object-group of router:r
at Netspoc/lib/Netspoc.pm line 16568