Inconsistent subnet relation with NAT

Question

Inconsistent subnet relation with NAT

Closed this issue 8 years ago · 0 comments

This example isn't handled correctly:

network:n1 = {
 ip = 10.1.1.0/24; 
 nat:N = { ip = 10.9.9.0/24; } 
}
network:n1_sub = {
 ip = 10.1.1.64/26; 
 nat:N = { ip = 10.8.8.64/26; } 
 subnet_of = network:n1;
}
router:u = {
 interface:n1;
 interface:n1_sub;
}

router:asa1 = {
 managed;
 model = ASA;
 routing = manual;
 interface:n1_sub = { ip = 10.1.1.65; hardware = n1; }
 interface:n2 = { ip = 10.1.2.1; hardware = n2; bind_nat = N; }
}

network:n2 = { ip = 10.1.2.0/24; }

service:s1 = {
    user = network:n1_sub;
    permit src = network:n2; dst = user; prt = tcp 80;
}
service:s2 = {
    user = network:n1;
    permit src = network:n2; dst = user; prt = tcp 80;
}

Currently we get a

Warning: Redundant rules in service:s1 compared to service:s2:
  permit src=network:n2; dst=network:n1_sub; prt=tcp 80; of service:s1
< permit src=network:n2; dst=network:n1; prt=tcp 80; of service:s2

but this isn't correct, because n1_sub isn't redundant.
We should reject this as ambiguous subnet relation from NAT instead.