established not added when using object-groups on cisco or ciscoxr

[jbotello7381]

When using object-groups as part of the target:: ciscoxr parameters the output doesn't include the established keyword.

With object-group keyword

example .pol

header {
  target:: ciscoxr INBOUND_INTERNET_V4 object-group
}

term accept-tcp-replies {
  comment:: "Allow tcp replies to internal hosts."
  destination-address:: INTERNAL
  protocol:: tcp
  option:: established
  action:: accept
}

term permit-offices {
  comment:: "Allow Remote Offices"
  destination-address:: REMOTE_OFFICES
  action:: accept
}

term permit-login-queue {
  comment:: "Allow Login Queue Servers"
  destination-address:: LQ_SERVERS
  protocol:: tcp
  destination-port:: LOGINQUEUE
  action:: accept
  logging:: true
}

term default-permit {
  comment:: "Allow what's left."
  action:: deny
}

Output

object-group network ipv4 INTERNAL
 10.0.0.0/8
 172.16.0.0/12
 192.168.0.0/16
exit

object-group port 1024-65535
 range 1024 65535
exit

object-group network ipv4 REMOTE_OFFICES
 200.1.0.0/19
 200.2.1.0/24
 200.5.1.0/24
exit

object-group network ipv6 REMOTE_OFFICES
 2620:0:10a1::/48
exit

object-group network ipv4 LQ_SERVERS
 10.0.0.64/29
exit

object-group port 80-80
 eq 80
exit

object-group port 443-443
 eq 443
exit

! $Id:$
! $Date:$
! $Revision:$
no ipv4 access-list INBOUND_INTERNET_V4
ipv4 access-list INBOUND_INTERNET_V4
 remark $Id:$

 remark accept-tcp-replies
 remark Allow tcp replies to internal hosts.
 permit tcp any net-group INTERNAL port-group 1024-65535

 remark permit-offices
 remark Allow Remote Offices
 permit ip any net-group REMOTE_OFFICES

 remark permit-login-queue
 remark Allow Login Queue Servers
 permit tcp any net-group LQ_SERVERS port-group 80-80
 permit tcp any net-group LQ_SERVERS port-group 443-443

 remark default-permit
 remark Allow what's left.
 deny ip any any

Without object-group keyword

header {
  target:: ciscoxr INBOUND_INTERNET_V4
}


term accept-tcp-replies {
  comment:: "Allow tcp replies to internal hosts."
  destination-address:: INTERNAL
  protocol:: tcp
  option:: established
  action:: accept
}


term permit-offices {
  comment:: "Allow Remote Offices"
  destination-address:: REMOTE_OFFICES
  action:: accept
}

term permit-login-queue {
  comment:: "Allow Login Queue Servers"
  destination-address:: LQ_SERVERS
  protocol:: tcp
  destination-port:: LOGINQUEUE
  action:: accept
  logging:: true
}

term default-permit {
  comment:: "Allow what's left."
  action:: deny
}

Output

! $Id:$
! $Date:$
! $Revision:$
no ipv4 access-list INBOUND_INTERNET_V4
ipv4 access-list INBOUND_INTERNET_V4
 remark $Id:$

 remark accept-tcp-replies
 remark Allow tcp replies to internal hosts.
 permit tcp any 10.0.0.0 0.255.255.255 range 1024 65535 established
 permit tcp any 172.16.0.0 0.15.255.255 range 1024 65535 established
 permit tcp any 192.168.0.0 0.0.255.255 range 1024 65535 established

 remark permit-offices
 remark Allow Remote Offices
 permit ipv4 any 200.1.0.0 0.0.31.255
 permit ipv4 any 200.2.1.0 0.0.0.255
 permit ipv4 any 200.5.1.0 0.0.0.255

 remark permit-login-queue
 remark Allow Login Queue Servers
 permit tcp any  10.0.0.64/29 0.0.0.7 eq 80 log
 permit tcp any  10.0.0.64/29 0.0.0.7 eq 443 log

 remark default-permit
 remark Allow what's left.
 deny ipv4 any any

exit

Similar behavior also occurs when adding the logging:: option. As shown on permit-login-queue term. When using object-groups, the "log" keyword is not added.

I can open a different issue for the log but seems to be related.

thanks

[sjtarik]

I would be really careful while using cisco object groups with capirca. not only options but icmp types are not supported and silently ignored I believe. also check what is the ip addresses you would get if you have multiple object groups in the same statement since we have another bug #121 in that area. also for IOS XE object group syntax not supported.