Where is Subnetting Implemented?

Blue47 · Feb 4, 2023, 9:18 PM

Hello,

Since subnet creation doesn't explicitly ~~generate~~ define an upper bound for host addresses (other than that set by the mask): does pfSense implicitly create this to prevent a lower subnet like 192.168.4.0/26 from partially overlapping with one like 192.168.4.64/26?

If so, where in the source code is it?

Thanks

johnpoz · Feb 4, 2023, 9:22 PM

@blue47 What are you asking - where exactly in the code of pfsense is the overlap check..

192.168.4.64/26 does not overlap with 4.0/26

0/26 would be 192.168.4.0 - 192.168.4.63, with 0 the wire and 63 the broadcast
.64./26 would be 192.168.4.64 - 192.168.4.127, with 64 the wire and 127 the broadcast.

Blue47 · Feb 4, 2023, 9:26 PM

@johnpoz What I'm asking is how/where the code checks or defines that range.

Blue47 · Feb 4, 2023, 9:31 PM

@johnpoz I was looking at some of the code in src/etc/inc/util.inc and found some information, but was wondering if any of the devs could give a better 'bird's-eye-view' of what is actually going on.

We understand what the notations are supposed to do/mean, but I want to know what is actually happening under the hood. Especially for security reasons.

johnpoz · Feb 4, 2023, 9:43 PM

@blue47 maybe one of the devs will chime in, or some of the other users here that are way more into the code, etc. I have never looked into "how" it determines of something overlaps.. Just know that it barfs at you when you try and put in an overlapping address on a different interface.

jimp · Feb 6, 2023, 3:45 PM

It's all typical subnet math, nothing special about it. The code for checking that is in util.inc, like check_subnets_overlap() but you might also look at things like gen_subnet() and get_subnet_mask() and the v4/v6 specific ones.

The question is very vague, though. We need more context to know what you're attempting to do that the current checks aren't allowing to know if it's valid.

While nothing stops something from using the network/broadcast addresses of a subnet (e.g. if it's routed to the firewall, all can be used for NAT so long as they aren't defined on an interface), you still can't force things to work that are not valid at a subnet level when used directly on an interface.

When using larger subnets, there is indeed nothing special about those addresses either. Such as when using a /23, it's valid to have clients use the .254 and .0 addresses in the middle of the /23.