On Sun, 20 Apr 2014, D. Hugh Redelmeier wrote:
Each conn can have an address pool. If two conns' address pools are identical, they are shared (a single common pool).
Sounds good.
If two address-pools overlap, but not exactly, each pool is separate in the addresspool logic: each pool could allocate the same address without being aware of it.
I think that's a bug.
Alternative "I want this to work, dammit" approach: when the second conn is loaded, chop off the overlap from one range or the other (assuming none of the addresses is in use) and proceed. But scenario seems too obscure and insufficiently useful to be worth investing much effort into. (The current simpler addresspool logic has taken a lot of work already.)
That will start showing up failures quickly for small pools. Eg pools of 8 that get reduced to 4 or 2. I'm happy with Ocam's Razor. If identical than, share, else reject. However, what happens when one client using 1 ID connects to both conns? Does it get the same IP or is it "taken"? I don't care much as long as we handle this case without causing server errors. The alternative is to have pools completely disjoint from connections as their own "entities". I think that would be way overengineered though. I am all in favour or a simple solution, and if it gets too complicated to hand the job over to something else (eg Radius / Diameter or dhcpd) Paul _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
