Service Capability - Bug and Feature

[NicFragale]

The following is accepted in the NPaaS/MOP and sent and accepted by OpenZITI controls. Subsequently, it seems accepted by the (at least) Swift version of the Ziti Edge Tunnel.

CIDR range services are accepted normally, however, a contiguous IP range seems to be accepted but not interpreted correctly.

The difference is 192.168.1.0/24 results in an interception range for the IPs that span from [192.168.1.0-192.168.1.255] (255 IPs). However, if you do not wish to expose an IP in that range (for instance, [192.168.1.1] which would correspond potentially to the router/firewall of the range) then you might want to use a range in the format [192.168.1.2-192.168.1.255]. The latter is a better method to exclude IPs in a range than calculating CIDR ranges that avoid it.

The BUG in this is that the range format X-Y seems to be accepted. Perhaps this is interpreted as a valid DNS record? The feature in this is that if range format is a capability, it would be highly useful for exclusion.

[dovholuknf]

For example, this is a "valid" configuratoin:

{
  "protocols": [
    "tcp"
  ],
  "addresses": [
    "192.168.1.10-192.168.1.255"
  ],
  "portRanges": [
    {
      "low": 1,
      "high": 1024
    }
  ]
}

[smilindave26]

Agree this is irritating, but will not fix. We validate "legal hostname", and this is a legal hostname. We auto-exclude OS/Ziti needed routes already. We have a separate issue to support explicit exclusion routes (see openziti/ziti-tunnel-sdk-c#855)