- Add $netif_ipexpand_max to specify the upper limit for the number of

  addresses generated by an address range specification.  The default
  value is 2048.  This can be increased by setting $netif_ipexpand_max
  in rc.conf.

- Fix warning messages when an address range spec exceeds the upper limit.

PR:	186841

3 files changed, 19 insertions, 7 deletions

diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index 190bb9c074bd..7a39a276cb89 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -110,6 +110,7 @@ synchronous_dhclient="NO"	# Start dhclient directly on configured
 				# interfaces during startup.
 defaultroute_delay="30"		# Time to wait for a default route on a DHCP interface.
 defaultroute_carrier_delay="5"	# Time to wait for carrier while waiting for a default route.
+netif_ipexpand_max="2048"	# Maximum number of IP addrs in a range spec.
 wpa_supplicant_program="/usr/sbin/wpa_supplicant"
 wpa_supplicant_flags="-s"	# Extra flags to pass to wpa_supplicant
 wpa_supplicant_conf_file="/etc/wpa_supplicant.conf"
diff --git a/etc/network.subr b/etc/network.subr
index f67622d51efd..520c9e86a7e5 100644
--- a/etc/network.subr
+++ b/etc/network.subr
@@ -25,9 +25,7 @@
 # $FreeBSD$
 #
 IFCONFIG_CMD="/sbin/ifconfig"
-
-# Maximum number of addresses expanded from a address range specification.
-_IPEXPANDMAX=31
+: ${netif_ipexpand_max:=2048}
 
 #
 # Subroutines commonly used from network startup scripts.
@@ -886,8 +884,8 @@ ifalias_expand_addr_inet()
 		_ipcount=$_iplow
 		while [ "$_ipcount" -le "$_iphigh" ]; do
 			_retstr="${_retstr} ${_iphead}${_iphead:+.}${_ipcount}${_iptail:+.}${_iptail}${_plen:+/}${_plen}"
-			if [ $_ipcount -gt $(($_iplow + $_IPEXPANDMAX)) ]; then
-				warn "Range specification is too large (${_iphead}${_iphead:+.}${_iplow}${_iptail:+.}${_iptail}-${_iphead}${_iphead:+.}${_iphigh}${_iptail:+.}${_iptail}).  ${_iphead}${_iphead:+.}${_iplow}${_iptail:+.}${_iptail}-${_iphead}${_iphead:+.}${_ipcount}${_iptail:+.}${_iptail} was processed."
+			if [ $_ipcount -gt $(($_iplow + $netif_ipexpand_max)) ]; then
+				warn "Range specification is too large (${_iphead}${_iphead:+.}${_iplow}${_iptail:+.}${_iptail}-${_iphead}${_iphead:+.}${_iphigh}${_iptail:+.}${_iptail}).  ${_iphead}${_iphead:+.}${_iplow}${_iptail:+.}${_iptail}-${_iphead}${_iphead:+.}${_ipcount}${_iptail:+.}${_iptail} was processed.  Increase \$netif_ipexpand_max in rc.conf."
 				break
 			else
 				_ipcount=$(($_ipcount + 1))
@@ -976,9 +974,9 @@ ifalias_expand_addr_inet6()
 					    $_ipleft $_ipcount $_ipright \
 					    ${_plen:+/}$_plen`
 					_retstr="$_retstr $_r"
-					if [ $_ipcount -gt $(($_iplow + $_IPEXPANDMAX)) ]
+					if [ $_ipcount -gt $(($_iplow + $netif_ipexpand_max)) ]
 					then
-						warn "Range specification is too large $(printf '(%s:%04x%s-%s:%04x%s)' $_ipleft $_iplow $_ipright $_ipleft $_iphigh $_ipright). $(printf '%s:%04x%s-%s:%04x%s' $_ipleft $_iplow $_ipright $_ipleft $_ipcount $_ipright) was processed."
+						warn "Range specification is too large $(printf '(%s:%x%s-%s:%x%s)' "$_ipleft" "$_iplow" "$_ipright" "$_ipleft" "$_iphigh" "$_ipright"). $(printf '%s:%x%s-%s:%x%s' "$_ipleft" "$_iplow" "$_ipright" "$_ipleft" "$_ipcount" "$_ipright") was processed.  Increase \$netif_ipexpand_max in rc.conf."
 						break
 					else
 						_ipcount=$(($_ipcount + 1))
diff --git a/share/man/man5/rc.conf.5 b/share/man/man5/rc.conf.5
index 669e773bac64..47d9ef8e5520 100644
--- a/share/man/man5/rc.conf.5
+++ b/share/man/man5/rc.conf.5
@@ -1199,6 +1199,19 @@ or
 .Li inet6 2001:db8:1-f::1/64 .
 This notation allows address and prefix length part only,
 not the other address modifiers.
+Note that the maximum number of the generated addresses from a range
+specification is limited to an integer value specified in
+.Va netif_ipexpand_max
+in
+.Xr rc.conf 5
+because a small typo can unexpectedly generate a large number of addresses.
+The default value is
+.Li 2048 .
+It can be increased by adding the following line into
+.Xr rc.conf 5 :
+.Bd -literal
+netif_ipexpand_max="4096"
+.Ed
 .Pp
 In the case of
 .Li 192.0.2.5-23/24 ,