No longer extend aggregate with /0 ip to combined46

hknutzen · hknutzen · commit 649b4fafe739 · 2025-02-18T13:30:19.000+01:00
diff --git a/go/pkg/pass1/set-zone.go b/go/pkg/pass1/set-zone.go
@@ -670,6 +670,7 @@ func (c *spoc) processAggregates() {
 		func(a, b *network) int {
 			return strings.Compare(a.name, b.name)
 		})
+	var unset netip.Prefix
 	for _, agg := range aggList {
 		process := func(agg *network, z *zone) {
 			// Assure that no other aggregate with same IP and mask
@@ -692,19 +693,30 @@ func (c *spoc) processAggregates() {
 			c.linkAggregateToZone(agg, z)
 		}
 		z := agg.link.zone
-		process(agg, z)
-		// Add non matching aggregate to combined zone.
-		if z2 := z.combined46; z2 != nil && agg.ipp.Bits() == 0 {
-			agg2 := new(network)
-			agg2.name = agg.name
-			agg2.isAggregate = true
-			agg2.ipV6 = !agg.ipV6
-			agg2.ipp = c.getNetwork00(agg2.ipV6).ipp
-			agg.combined46 = agg2
-			agg2.combined46 = agg
-			process(agg2, z2)
+		if agg.ipp == unset {
+			agg.ipp = c.getNetwork00(z.ipV6).ipp
+			agg.ipV6 = z.ipV6
+			process(agg, z)
+			// Add non matching aggregate to combined zone.
+			if z2 := z.combined46; z2 != nil {
+				agg2 := new(network)
+				agg2.name = agg.name
+				agg2.isAggregate = true
+				agg2.ipV6 = z2.ipV6
+				agg2.ipp = c.getNetwork00(agg2.ipV6).ipp
+				if !agg2.ipV6 {
+					agg2.nat = agg.nat
+					agg.nat = nil
+				}
+				agg.combined46 = agg2
+				agg2.combined46 = agg
+				process(agg2, z2)
+			} else if agg.ipV6 && agg.nat != nil {
+				c.err("NAT not supported for IPv6 %s", agg)
+			}
+		} else {
+			process(agg, z)
 		}
-
 	}
 	// Add aggregate to all zones in zone cluster.
 	for _, agg := range aggList {
diff --git a/go/pkg/pass1/setup-objects.go b/go/pkg/pass1/setup-objects.go
@@ -1278,39 +1278,31 @@ func (c *spoc) setupAggregate(v *ast.TopStruct) {
 		}
 	}
 	c.checkDuplAttr(v.Attributes, name)
-	if !hasLink {
-		c.err("Attribute 'link' must be defined for %s", name)
-	} else if net := ag.link; net != nil {
-		if !ag.ipp.IsValid() {
-			ag.ipp = c.getNetwork00(net.ipV6).ipp
-			ag.ipV6 = net.ipV6
-			if net6 := net.combined46; net6 != nil {
-				ag6 := *ag
-				ag6.link = net6
-				ag6.ipp = c.getNetwork00(true).ipp
-				ag6.ipV6 = true
-				ag6.nat = nil
-				ag6.combined46 = ag
-				ag.combined46 = &ag6
-			}
-		} else if ag.ipV6 != ag.link.ipV6 {
+	net := ag.link
+	if net == nil {
+		if !hasLink {
+			c.err("Attribute 'link' must be defined for %s", name)
+		}
+		return
+	}
+	// If no ipAttr is given, this case is handled later when
+	// processing zones.
+	if ipAttr != "" {
+		if ag.ipV6 != net.ipV6 {
 			c.err("Must not link %s address to %s network in %s",
 				ipvx(ag.ipV6), ipvx(ag.link.ipV6), name)
 		}
-		if ag.nat != nil && ag.link.ipV6 {
-			c.err("NAT not supported for IPv6 %s", ag)
-		}
-	}
-	if ag.ipp.Bits() != 0 {
-		for _, a := range v.Attributes {
-			switch a.Name {
-			case "ip", "ip6", "link", "owner",
-				"overlaps", "identical_body", "multi_owner", "has_unenforceable":
-				continue
-			}
-			if !strings.HasPrefix(a.Name, "nat:") {
-				c.err("Must not use attribute '%s' if IP is set for %s",
-					a.Name, name)
+		if ag.ipp.Bits() != 0 {
+			for _, a := range v.Attributes {
+				switch a.Name {
+				case "ip", "ip6", "link", "owner",
+					"overlaps", "identical_body", "multi_owner", "has_unenforceable":
+					continue
+				}
+				if !strings.HasPrefix(a.Name, "nat:") {
+					c.err("Must not use attribute '%s' if IP is set for %s",
+						a.Name, name)
+				}
 			}
 		}
 	}
diff --git a/go/testdata/ipv46-combined.t b/go/testdata/ipv46-combined.t
@@ -987,6 +987,35 @@ Error: Duplicate any:n1-v4 and any:n1-v6 in any:[network:n1-v6]
 Error: Duplicate any:n1-v4 and any:n1-v6 in any:[network:n1-v4]
 =END=
 
+############################################################
+=TITLE=Aggregate with NAT linked to v6 network in combined zone
+=INPUT=
+any:n1-v6 = { link = network:n1-v6; nat:n1 = { ip = 10.9.9.0/24; } }
+network:n1-v6 = { ip6 = 2001:db8:1:6::/64; }
+network:n1 = { ip = 10.1.1.0/24; ip6 = 2001:db8:1:1::/64; }
+network:n2-v4 = { ip = 10.1.2.0/24; }
+router:u = {
+ interface:n1-v6;
+ interface:n1 = { ip = 10.1.1.1; ip6 = 2001:db8:1:1::1; }
+}
+router:r1 = {
+ managed;
+ model = IOS;
+ interface:n1 = { ip = 10.1.1.2; ip6 = 2001:db8:1:1::2; hardware = n1; }
+ interface:n2-v4 = { ip = 10.1.2.1; bind_nat = n1; hardware = n2; }
+}
+service:s1 = {
+ user = network:n2-v4;
+ permit src = user; dst = network:n1; prt = tcp 80;
+}
+=OUTPUT=
+--r1
+ip access-list extended n2_in
+ deny ip any host 10.9.9.2
+ permit tcp 10.1.2.0 0.0.0.255 10.9.9.0 0.0.0.255 eq 80
+ deny ip any any
+=END=
+
 ############################################################
 =TITLE=Bridged network
 =INPUT=
diff --git a/go/testdata/ipv6.t b/go/testdata/ipv6.t
@@ -446,7 +446,6 @@ Aborted
 =TITLE=NAT not supported
 =INPUT=
 area:n1 = { anchor = network:n1; nat:ar = { hidden; } }
-any:n1 = { link = network:n1; nat:ag = { hidden; } }
 network:n1 = {
  ip6 = 2001:db8:1:1::/64; nat:n = { hidden; }
  host:h1 = { ip6 = 2001:db8:1:1::10; nat:h = { ip = 2001:db8:1:ffff::10; } }
@@ -458,6 +457,17 @@ router:r1 = {
 =ERROR=
 Error: NAT not supported for IPv6 host:h1
 Error: NAT not supported for IPv6 network:n1
-Error: NAT not supported for IPv6 any:n1
 Error: NAT not supported for IPv6 area:n1
 =END=
+
+############################################################
+=TITLE=NAT not supported at aggregate
+=INPUT=
+any:n1 = { link = network:n1; nat:ag = { hidden; } }
+network:n1 = {
+ ip6 = 2001:db8:1:1::/64;
+}
+=ERROR=
+Error: NAT not supported for IPv6 any:n1
+Warning: nat:ag is defined, but not bound to any interface
+=END=
