[Swan-dev] virutal-private [was: overlapping address pools]

[Paul Wouters]

On Mon, 21 Apr 2014, D. Hugh Redelmeier wrote:

> | From: D. Hugh Redelmeier <hugh at mimosa.com>
> | Subject: Re: [Swan-dev] overlapping address pools
>
> | When two subnets overlap, one contains the other (they can be the
> | same, in which case they contain each other).  That's simpler than
> | IP-address ranges that are used for addresspools.  Especially when
> | considering more than two.
>
> There are two virtual-private subnet lists: inclusive and exclusive.
> An address is considered private if it is covered by at least one
> subnet in the inclusive list and no subnet in the  exclusive list.
>
> No consideration is given to overlap.

What overlap are you thinking of?  The most common case is like:

 	virtual_private=%v4:10.0.0.0/8,%v4:!10.0.0.0/24

I guess this is not the overlap you mean? 10.0.0.2/32 should get
rejected here, but 10.1.2.3/32 would not get rejected.

If multiple includes overlap, why would we care as long as we match it?
If multiple excludes overlap, why would we care as long as we match it?

> It seems to me that the conventional test would be:
>
>    What is the smallest subnet that includes the address in question?
>    If it is in the inclusive set, the address is private.

I believe that is already they case? See the above example.

> Also, it would seem to be a mistake to have the same subnet appear
> twice or more (either in the same or different lists).  This would be
> a mistake in the lists.

Seems a pretty harmless mistake. We could ignore the second one and log
a warning. Causing an error seems excessive and might break things.

Paul