[Swan-dev] virutal-private [was: overlapping address pools]

Paul Wouters paul at nohats.ca
Tue Apr 22 04:30:42 EEST 2014

On Mon, 21 Apr 2014, D. Hugh Redelmeier wrote:

> Consider
> 	virtual_private=%v4:!,%v4:
> No addresses are private in this case.  I imagine that that surprises
> you.
> Consider
> 	virtual_private=%v4:,%v4:!,%v4:
> In this one, the /24 will not have an effect.

I see. Those cases are unexpected (thoug understandable)

> | If multiple includes overlap, why would we care as long as we match it?
> | If multiple excludes overlap, why would we care as long as we match it?
> any matching exclude (no matter how broad) trumps any include (no
> matter how narrow).

So it is failing on the side of caution. I do think that longest prefix
first match, regardless of include or exclude, would be more intuitive
and the right thing to do.

> Note: I don't see a disaster here, only an awkwardness and a surprise.
> My guess is that most virtual-private specifications are simple and
> don't hit this lack of expressive power.

Yes, but bigger deploymentments could definitely hit this, especially
after some organic (unmanaged) growth or acquisitions.


More information about the Swan-dev mailing list