Networks can sometimes be created with overlapping IP ranges

[corhere]

Description

Multiple networks sharing a subnet can be created with overlapping IP ranges, unless the ranges are identical.

Reproduce

1. docker network create --driver ipvlan --subnet 10.123.0.0/16 --ip-range 10.123.0.0/17 overlap1
   -> Success
2. docker network create --driver ipvlan --subnet 10.123.0.0/16 --ip-range 10.123.0.0/17 overlap2
   -> Error response from daemon: Pool overlaps with other one on this address space
3. docker network create --driver ipvlan --subnet 10.123.0.0/16 --ip-range 10.123.0.0/18 overlap3
   -> Success?!

The bridge driver has its own overlap checks: no bridge network can be created with a subnet that overlaps the subnet of any existing bridge network, irrespective of ip-range. But e.g. two ipvlan networks can share a subnet, as can a bridge and an ipvlan.

Expected behavior

The rules of when networks can have overlapping IPAM pools should be applied consistently: either both overlap2 and overlap3 can be created successfully, or neither.

docker version

Confirmed on v20.10.24, v23.0.6, v24.0.6

docker info

N/A

Additional Info

Duplicate addresses will not be allocated even if pools overlap. All IPAM pools for the same subnet share the same allocation bitmap so an address allocated from one pool is implicitly reserved in all the other pools.

[corhere]

Discussed on the maintainer call.

• Fixing the overlap checks to block overlapping ip-ranges could cause users grief: the daemon might fail to start after upgrade
• Allowing network ip-ranges to overlap would give advanced users the flexibility they have been asking for, but would remove guard rails which catch accidental overlaps from e.g. copy-pasting a network config and forgetting to modify it. We could allow overlapping ip-ranges with a warning; the CreateNetwork API already has affordances for returning warnings.

[olljanat]

Linking discussion from #50427 (comment) to here to as in Windows IPAM overlapping / duplicate subnets are allowed.