[Swan-dev] addresspool and handing out network/broadcast addresses

Paul Wouters paul at nohats.ca
Sun May 4 22:54:55 EEST 2014

On Fri, 2 May 2014, D. Hugh Redelmeier wrote:

> | subnet= while also handing out 192.0.2.x/32 addresses.
> No, not from the address-pool address range, but from the LAN we
> ourselves are probably on.

No, this one had a left=%defaultroute with rightsubnet=,
and would then get an addresspool range from,
so it would setup a tunnel from to Pretty
atrocious IMHO.

> And likely we
> know the IP address of various furniture within that subnet
> - broadcast
> - gateway
> - local DNS server
> - IP addresses given out by DHCP
> - print server IP address
> - addresses already occupied (based on ARP traffic)
> - ...
> How far do we wish to go down this rathole?

SunOS basically ruined .0 and we shouldn't hand out a broadcast address.
That's as far as I want to go.

> (It sure would be nice if the warnings were apparent to our users, but
> that's another issue.)

We can do that using dbus and NM. Once we have native dbus support, we
can ensure everything that's RC_SERIOUS goes to whack as well as

> If it is our job, why even have them specify an address-pool?  We can
> make it up ourself.

Because the addresspool could be routed/reserved locally with the rest
of the network. You know this :P

> I'm against kludgy software full of heuristics that might break in too
> many interesting ways.
> Blocking and seems arbitrary.
> Doesn't even work for my network, and I have a Class C.

I'm suggesting to block *.*.*.0 and *.*.*.255 irrespective of netmask.
This of course only prevents network/broadcast addresses for the "class
A, B and C" networks. Perhaps we can assume people using differently
sized pool know enough about network/broadcast address to exclude these.

Although we could attempt to convert the range to CIDR and find out if
we understand the broadcast/network address, we might not be able to
know if they specify a random section, eg

> | And if we allowed CIDR syntax, we per definition have this problem too,
> | eg: leftaddresspool= - you cannot really exclude it using
> | that syntax.
> Sure.  But we don't support CIDR syntax for an address-pool.  Maybe
> this is a good reason not to.

If we do allow CIDR, we should again blacklist the first+last address of
the pool to avoid problems.


More information about the Swan-dev mailing list