On Sun, Apr 20, 2014 at 07:43:50PM -0400, D. Hugh Redelmeier wrote: > | From: Antony Antony <[email protected]> > > | It would be nice to have an options to assign unique address. When there > | is an overlap, the new pool mark the unused overlapping addresses in the > | old pool as used. If an address already in use in an old pool mark it > | used in the new pool. > > That's the kind of logic that I tried to portray as theoretically > useful but probably used rarely enough that it isn't worth the > considerable effort of coding, testing, and documenting. What's the > use-case?
Lets say I create a conn with an addresspool and everything is working fine. However, now I want to test a new conn, with different IKE/ISKAMP parameters such as port number, IKE algorithm, authby.... Then I would take a part of the old address pool, a small range, which is contained in the big one, and create a different conn with new IKE parameters. The alternative is to create a new conn with the exact same addresspool range as the previous one. Which probably is not a bad solution. Also I realized if I really want I can take a single address from an addresspool and configure it as /32 leftsubnet. The proposed partial overlap check will not prohibit that:) > | In libreswan, as far I know, there is no overlap check for a subnet. An > | address pool is very similar to a subnet, imagine it as a /32 subnet. > | You could even replace it with a subnet. If subnet overlaps with another > | subnet there is no warning. Then I am wondering why treat an addresspool > | overlap as an error? > > When two subnets overlap, one contains the other (they can be the > same, in which case they contain each other). That's simpler than > IP-address ranges that are used for addresspools. Especially when > considering more than two. > > Libreswan assigns from the addresspool. Subnet assignment isn't our > business. Libreswan assigns from a user configured addresspool. So I think addresspool and subnet assignments are similar. Any way, lets agree that a partial overlap between addresspools will be rejected. I will make the change. regards, -antony _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
