IP is erroneously reused in other rule
hknutzen opened this issue · 0 comments
hknutzen commented
Netspoc combines similar rules by using object-groups.
Inside object-groups, adjacent IP networks are combined into larger IP networks.
The current implementation has an error.
When combining networks of one group, this may affect some similar but unrelated other group, such that the combined network erroneously occurs inside the unrelated group.
Test case:
network:n1 = { ip = 10.1.1.0/24; }
network:n2 = { ip = 10.1.2.0/24; }
network:n3 = { ip = 10.1.3.0/24; }
router:u = {
interface:n1;
interface:n2;
interface:n3 = { ip = 10.1.3.1; }
}
router:r1 = {
managed;
model = ASA;
interface:n3 = { ip = 10.1.3.2; hardware = n3; }
interface:n4 = { ip = 10.1.4.1; hardware = n4; }
}
network:n4 = {
ip = 10.1.4.0/24;
host:h1 = { ip = 10.1.4.10; }
host:h2 = { ip = 10.1.4.12; }
}
group:g1 = network:n1, network:n2;
service:s1 = {
user = group:g1, network:n3;
permit src = user; dst = host:h1; prt = tcp 80;
}
service:s2 = {
user = group:g1;
permit src = user; dst = host:h2; prt = tcp 80;
}
Result:
object-group network g0
network-object 10.1.1.0 255.255.255.0
network-object 10.1.2.0 255.255.254.0
object-group network g1
network-object host 10.1.4.10
network-object host 10.1.4.12
access-list n3_in extended permit tcp object-group g0 object-group g1 eq 80
access-list n3_in extended deny ip any any
access-group n3_in in interface n3
The generated access-list permits 10.1.3.0/24 for both destinations, although this must only be permitted for 10.1.4.10