Re: TCP/IP with 7.4 beta2 broken?

From: Andrew Dunstan <andrew(at)dunslane(dot)net>
To: pgsql-hackers(at)postgresql(dot)org
Subject: Re: TCP/IP with 7.4 beta2 broken?
Date: 2003-09-03 17:33:45
Message-ID: 3F5625F9.60004@dunslane.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Andreas Pflug wrote:

> Andrew Dunstan wrote:
>
>> Andreas Pflug said:
>>
>>
>>> Tommi Maekitalo wrote:
>>>
>>>
>>>
>>>>> *nod* but it would be nicer if all loopback interfaces worked by
>>>>> default - hence my localhost suggestion, which would match any of
>>>>>
>>>>> 127.0.0.1/32
>>>>>
>>>>> ::ffff:127.0.0.1/128 and
>>>>> ::1/128
>>>>>
>>>>>
>>>>
>>>> ...
>>>> That sounds good. Is it possible to extend lookup that way?
>>>>
>>>>
>>>
>>> I'd feel a bit uncomfortable making ::1/128 from 127.0.0.1/32 because
>>> it's not converting the same address from one format into another, but
>>> a completely different address.
>>> Extending "local" to accept all local tcpip addresses would fit better.
>>>
>>>
>>
>>
>> I agree. The only automatic mapping in host* lines should be from
>> p.q.r.s/n to ::ffff:p.q.r.s/n+96. Loopback interfaces are special and
>> should be treated separately from the general case, which is what I
>> propose to do.
>>
> This doesn't look consistent to me. Local addresses can be all
> addresses that the host's interfaces are currently configured with,
> loopback is nothing special in this sense. The admin can easily do
> 'ifconfig' to see all addresses configured and enter them into
> pg_hba.conf, because these addresses are obvious.

We currently have this in the default pg_hba.conf file:

host all all 127.0.0.1 255.255.255.255 trust

The idea was to have something which would perform equivalently on IP4
only, IP4 over IP6 and pure IP6 connections, without breaking the
postmaster host in any of them.

It is perfectly true that it could be mangled by the administrator -
this would save him/her having to do so for the default case. In my
proposal you would replace this default line with:

loopback all all trust

It's the fact that it is the default that makes it special. Does that
make things clearer?

cheers

andrew

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Dan Langille 2003-09-03 17:54:01 Re: [HACKERS] What goes into the security doc?
Previous Message Olivier PRENANT 2003-09-03 17:33:24 Re: Unixware Patch (Was: Re: Beta2 Tag'd and Bundled ...)