Skip site navigation (1) Skip section navigation (2)

Re: pg_hba.conf: samehost and samenet [REVIEW]

From: Stef Walter <stef-list(at)memberwebs(dot)com>
To: Abhijit Menon-Sen <ams(at)toroid(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: pg_hba.conf: samehost and samenet [REVIEW]
Date: 2009-09-21 18:12:32
Message-ID: 4AB7C210.7070505@memberwebs.com (view raw or flat)
Thread:
Lists: pgsql-hackers 
Thanks for your review!

Abhijit Menon-Sen wrote:
> First, it needs to be reformatted to not use a space before the opening
> parentheses in (some) function calls and definitions.

Fixed in the attached patch.

>> *** a/doc/src/sgml/client-auth.sgml
>> --- b/doc/src/sgml/client-auth.sgml
>> [...]
>>   
> I'd suggest something like the following instead:
> 
>     <para>Instead of a <replaceable>CIDR-address</replaceable>, you can
>     specify <literal>samehost</literal> to match any of the server's own
>     IP addresses, or <literal>samenet</literal> to match any address in
>     a subnet that the server belongs to.

Updated in attached patch.

>> *** a/src/backend/libpq/hba.c
>> --- b/src/backend/libpq/hba.c
>> [...]
>>
>> + 	else if (addr->sa_family == AF_INET &&
>> + 			 raddr->addr.ss_family == AF_INET6)
>> + 	{
>> + 		/*
>> + 		 * Wrong address family.  We allow only one case: if the file
>> + 		 * has IPv4 and the port is IPv6, promote the file address to
>> + 		 * IPv6 and try to match that way.
>> + 		 */
> 
> How about this instead:
> 
>     If we're listening on IPv6 but the file specifies an IPv4 address to
>     match against, we promote the latter also to an IPv6 address before
>     trying to match the client's address.

As Magnus noted, this is a comment already present in the postgresql
code. I simply moved it into a function. However, I've attached a second
patch which fixes this issue, and can be committed at your discretion.

> You could just have each of the three #ifdef blocks
> define a function named pg_foreach_ifaddr() and be done with it. No
> need for a fourth function.

Done.

>> *** a/src/backend/libpq/pg_hba.conf.sample
>> --- b/src/backend/libpq/pg_hba.conf.sample
>> [...]
>>
>> + # You can also specify "samehost" to limit connections to those from addresses
>> + # of the local machine. Or you can specify "samenet" to limit connections
>> + # to addresses on the subnets of the local network.
> 
> This should be reworded to match the documentation change suggested
> above.

Done.

Cheers,

Stef
Attachment: postgresql-ipv4-promote-ipv6-comment.patch
Description: text/x-diff (843 bytes)
Attachment: postgres-hba-samenet-4.patch
Description: text/x-diff (18.4 KB)

In response to

Responses

pgsql-hackers by date

Next:From: Robert HaasDate: 2009-09-21 18:20:11
Subject: Re: SELECT ... FOR UPDATE [WAIT integer | NOWAIT] for 8.5
Previous:From: Alvaro HerreraDate: 2009-09-21 18:07:52
Subject: Re: Standalone backends run StartupXLOG in an incorrect environment

Privacy Policy | About PostgreSQL
Copyright © 1996-2013 The PostgreSQL Global Development Group