On Sun, May 04, 2014 at 03:54:55PM -0400, Paul Wouters wrote: > I'm suggesting to block *.*.*.0 and *.*.*.255 irrespective of netmask. > This of course only prevents network/broadcast addresses for the "class > A, B and C" networks. Perhaps we can assume people using differently > sized pool know enough about network/broadcast address to exclude these.
If the netmask is /20, then you clearly should NOT block *.*.*.0, only the first address in the range. Better to assume people DO know what they are doing than to screw things up for those that actually do know what they are doing with no way for them to fix it. > Although we could attempt to convert the range to CIDR and find out if > we understand the broadcast/network address, we might not be able to > know if they specify a random section, eg 192.0.2.14-192.0.2.139. > > If we do allow CIDR, we should again blacklist the first+last address of > the pool to avoid problems. That ought to work. -- Len Sorensen _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
