What is the purpose for subnet intersection checking in netutil.go?

[compdude22]

(occasional lurker, first time poster)

I'm trying to understand what the purpose of the subnet intersection/overlap check in netutil.go, as part of the parseSubnet() function.

As background info, I am using nerdctl compose to run my homelab's network services, but I intend for all containers bridged directly to my LAN and sharing the existing subnet, rather than using NPTv6 or NAT. Since my LAN has a standard /64 subnet, I've statically carved out a small range within that subnet so that a CNI IPAM plugin can locally assign those addresses to containers on-the-fly, without having to perform SLAAC or DHCPv6.

Bridging to the LAN is working fine using the macvlan CNI driver. But I am unable to get nerdctl to create the necessary IPAM config, even though I can create the equivalent CNI config manually. The issue appears to arise when configuring an IPAM with a subnet that overlaps with a subnet already known to the host's network namespace. In my case, I'm trying to create an IPAM config that exactly mirrors the physical LAN, so I am getting error messages of the form <subnet> overlaps with other one on this address space and the network is not created.

Example setup:

Host address: 2001:db8:42:101
LAN subnet: 2001:db8:42::/64
Range of addresses dedicated to containers: 2001:db8:42:cccc::/112

$ nerdctl network create --driver=macvlan --subnet=2001:db8:42::/64 --ip-range=2001:db8:42:cccc::/112 mybridge
FATA[0000] subnet 2001:db8:42::/64 overlaps with other one on this address space

The ip-range= isn't actually needed to produce this error, since it appears to just be the subnet value that's problematic, as the subnet already appears in the host network namespace's routing table. At least, that's what my cursory read of the code suggests.

What I'm trying to understand is what this subnet intersection check is seeking to protect against. Unless I'm mistaken, it should not matter is two container networks are assigning addresses from the same subnet, or even if two containers are assigned the exact same address, so long as they are on separate networks which do not bridge (at L2) or route (at L3) to each other.

In my case, I am intentionally bridging my containers to the same network as the host, precisely to have a "flat" network. Which is to say, the intersection of my container network and my physical network is a circle. But this check prevents me from doing so via nerdctl network create.

The check would also prevent someone with two distinct physical L2 networks from being able to use the same L3 addressing for containers assigned to either L2 network. There is no reason to deny the same L3 subnet if it will be used on entirely-separated L2 networks.

My use-case only covers IPv6 because I operate an IPv6-only network. But I think the same would arise with IPv4 networks. So I'm now looking to understand the rationale for this check, which I can vaguely understand as a warning for network novices. But ultimately, the underlying CNI IPAM plugin doesn't seem to have any issue with assigning addresses the way I desire above, so I wish to understand why nerdctl network does. Or perhaps the check and error message can be removed outright.

The two prior GitHub discussions with keywords "subnet overlaps" don't really provide additional color, with the error message not being a causal factor to their questions.

[AkihiroSuda]

This was added in:

• use free subnet to create network #1245

[compdude22]

@AkihiroSuda , I do see that the change was introduced in that change. But I'm not understanding why the logic is checking against all subnets known to the system -- from GetLiveNetworkSubnets() -- rather than just the subnets used/created by nerdctl network create.

It seems like the behavior would work just fine without having to involve the system's non-nerdctl subnets, if that's something which could be tracked or listed.